[Beowulf] Containers in HPC
Jonathan Aquilina
jaquilina at eagleeyet.net
Thu May 23 05:35:13 PDT 2019
Thanks for the great explanation and clarification. Another question that stems from the below what mechanisms exist in terms of security for the containers to be as secure as a VM?
Regards,
Jonathan
On 23/05/2019, 14:23, "Bill Broadley" <bill at cse.ucdavis.edu> wrote:
On 5/23/19 3:49 AM, Jonathan Aquilina wrote:> Hi Guys,
>
>
>
> Can someone clarify for me are containers another form of virtualized systems?
> Or are they isolated environments running on bare metal?
Generally virtual machines run their own kernel. Typically CPU overhead is
close to zero, but things like network or disk I/O can be heavily impacted. VMs
also typically require carving out a chunk of ram from the host system and
giving it to the guest. So the memory overhead is inflexible, and mostly
static. There are workarounds (like balloon memory drivers), but generally the
memory overhead is high. Virtual machines also boot much like a regular OS, 10s
of seconds to minutes is common.
Containers do not involve a second kernel, but instead use cgroups (or similar
on other platforms) to give a container a chunk of system resources. This makes
it easy to run a container expecting a different set of libraries, file system
layout, accounts, namespace, filesystems, etc to run on the same host. While
you can limit the ram allocated to a container, it only has to consume what it
needs. Cgroups can limit what a container can do, but generally the isolation
is not as good as with a virtual machine. Containers can launch in a small
fraction of a second. One experiment I did ran fedora, rhel, and ubuntu
containers and ran "uname -a" or equivalent in all 3. I was able to launch all
3, get the output, and shut them all down in under 1 second.
The I/O and network overhead of containers is minimal, because you are using the
same kernel. To the host kernel the difference between a container and a
process is minimal.
To further confuse things, often people end up running a collection of
containers in a virtual machine. Kubernetes (and many other platforms) can use
this model. But you can run containers on "bare metal", without using any
virtual machine, just directly on the underlying OS.
Hopefully that helps.
More information about the Beowulf
mailing list