Today we are announcing the availability of the release of the CentOS 7 operating system in
the InfoboxCloud cloud , based on the Red Hat Enterprise Linux 7 package base and fully compatible with it. At the end of the post link to free testing in the cloud.
CentOS 7 is the first release of the OS, after the CentOS team
transitions to RedHat. This OS is stable and ready for corporate use.
We are starting a review of the new OS, consisting of a series of theoretical and practical articles. The first chapter of the review will cover the support for Linux containers on CentOS 7.
')
In the cloud, the minimum version of CentOS 7 is installed by default to ensure maximum security by reducing the attack surface. All necessary OS components are installed from standard repositories.
CentOS 7 key changes
- Linux container support (including Docker support). Containers enhance the development, delivery and isolation of software for test and production tasks. Also, containerization increases software security by reducing the attack surface;
- Active Directory / Identity Management (IdM) integration
- Using systemd , a standard for managing processes, services, security, and other resources;
- Built-in profiles and tools to optimize performance and simple scaling;
- Unified management tools and management framework OpenLMI , which is actually the industry standard for administering and configuring the system;
- Technical preview of the technology to install kernel updates without restarting kpatch ;
Linux container support
Docker certainly shot, creating a hefty noise in the blogosphere and social networks. In a variety of areas, containers have been actively used to isolate applications from each other and from the external environment, as a means of delivering and deploying software.
In
InfoboxCloud, container virtualization has been used for several years as one of the virtualization options: faster and more economical than hypervisor technology. The standard InfoboxCloud functionality allows you to quickly and efficiently create fast and efficient containers from the control panel with the necessary OS. Using containers inside the InfoboxCloud virtual machine (the "
Allow OS kernel control " flag when creating a server in the cloud) brings new features:
- Retaining the ability to control the OS kernel, it is possible to isolate applications from each other. In case of failure of one application, the system will remain stable.
- Developers want to provide software that is easy to deploy, update, and scale . The use of containers allows you to have more control over the execution environment of the software. It becomes possible to create a portable image of the software and the environment that can be easily transferred between execution environments.
Main features of Linux containers:
- Resource management;
- Isolation process;
- Security;
- Management tools from the command line.
In the context of Linux containers, resource management is organized through
cgroups . Cgroups allow a user to allocate resources, such as CPU time, system memory, network bandwidth, an I / O unit, or any combination of these resources to set up a user-limited group of tasks or processes running on a given system. Users can monitor any configured cgroups, deny cgroups access to certain resources, or even dynamically reconfigure cgroups on a running system. Using cgroups, system administrators have precise control over the allocation, prioritization, reduction, management and monitoring of system resources. Hardware resources (hypervisor resources) can be easily divided between tasks and users, often increasing the overall efficiency of the system. Cgroups is not a new concept. It appeared back in Cent OS 6. CentOS 7 has improved the ability to manage control groups through Systemd, the OS and services manager.
Process isolation, the heart of the Linux container architecture, is represented by CentOS
kernel namespaces .
Now Linux implements six different types of namespaces. The goal of each is to wrap each global system resource into an abstraction . Each resource is provided as an isolated instance for a process within the namespace, which provides isolation — the illusion that the group of processes is alone in the system. Namespaces are necessary because the Linux kernel knows nothing about containers. The namespace task is to teach the core to the concept of an isolated environment.
CentOS 7 implements the following namespaces:
- The PID namespace provides isolation of process identifiers, allowing processes in different PID namespaces to have the same PID. One of the main advantages of PID namespaces is the ability of containers to migrate between hosts while maintaining the same process identifiers inside the container. The PID namespace allows each container to have its own initialization process, which manages various system initialization tasks, and manages the container's life cycle.
- Network namespaces provide isolation of network controllers, system resources associated with networks, firewalls, and routing tables. Network namespaces allow each container to have its own virtual network stack, which is associated with process groups. Each namespace has its own loopback device and process space. Virtual or real devices can be added to each network namespace, and IP addresses can be assigned to these devices and used as a network node.
- UTS namespaces isolate two system identifiers: nodename and domainname , returned by the uname () system call. UTS namespaces allow each container to have its own hostname and NIS domain name. This is useful for initialization and configuration scripts that perform their actions based on these names.
- Mount namespaces isolate a set of file system mount points like a group of processes and help create different read-only file systems. Processes in different mount namespaces may have different views of the file system hierarchy. In addition to the mount namespaces, the mount () and umount () system calls no longer work in the global mount point space (visible to all OS processes). Instead, they act only within the mount namespace associated with the container process.
- IPC namespaces isolate certain interprocess communication (IPC) resources, such as System V IPC objects and Posix message queues. Each IPC namespace has its own set of System V identifiers and its own POSIX file system message queue.
- User namespaces isolate user and group identifiers so that user processes and group identifiers can be different inside and outside the user namespace. The most interesting case is when the process is a normal unprivileged ID outside the user's namespace and at the same time to have user ID 0 inside the namespace. This means that the process has full root privileges for operations inside a user-defined namespace, but is not privileged for operations outside of the namespace.
For security, SELinux is also used, which, as with cgroups, is not a new concept and exists since CentOS 4. SELinux applies security labels and policies for Linux containers and their resources, providing an additional level of security over the security provided by the spaces kernel names.
The RedHat team (you know who really developed all this) started working on Docker starting from version 0.7. Red Hat's contribution was a new storage driver, which allowed Docker to run on Cent OS 7. During further cooperation and Red Hat's contribution to Docker, a new built-in execution driver based on libcontainer was developed, which was developed to access the container core API directly, without third-party dependencies. . This native toolkit can manage kernel features such as cgroups, namespaces, network interfaces, firewall, and other kernel features. Thanks to Red Hat, Cent OS 7 Docker is now ready for corporate use.
Thus, Linux containers are an important open source technology for packaging and delivering applications, combining lightweight isolation and flexibility of image-based deployment methods.
Sources used in the preparation of the article:
RedHat Knowledge Base
RedHat official blog
CentOS Official Blog
Especially for our readers, we provided the opportunity to try CentOS 7 in the
InfoboxCloud cloud. Register the trial version for 15 days via
this link . If you need more resources for testing than in the trial version - write to
trukhinyuri@infoboxcloud.com
Successful use of CentOS 7! To be continued.