Resource Constraints can be considered a form of containerment.
In Fedora and RHEL we use cgroups for this, and with the new systemd controls in Fedora and RHEL7, managing cgroups has gotten a lot easier. Out of the box all of your processes are put into a cgroup based on whether they are a user, system service or a Machine (VMs). These processes are grouped at the unit level, meaning two users logged into a system will get and "Fair Share" of the system, even if one user forks off thousands of processes. Similarly if you run an httpd service and a mariadb service, they each get an equal share of the system, meaning that httpd can not fork 1000 process while mariadb only runs three, the httpd 1000 processes can not dominate the machine leaving no memory of cpu for mariadb. Of course you can go into the unit files for httpd or mariadb and add a couple of simple resource constraints to further limit them
to httpd.service unit file
For example will limit the service to only use 500 megabytes to httpd processes.
Some could say I have been working on containers for years since SELinux is a container technology for controlling what a process does on the system. I will talk about SELinux and advanced containers in my next blog.
Process Separation Containment
The last component of containers is Namespaces. The linux kernel implements a few namespaces for process separation. There are currently 6 namespaces.
Namespaces can be used to Isolate processes. They can create a new environment where changes to the process are not reflected in other namespace.
Once set up, namespaces are transparent for processes.
Red Hat Enterprise Linux and Fedora currently support 5 namespace
- ipc namespace allows you to have shared memory, semaphores with only processes within the namespace.
- pid namespace eliminates the view of other processes on the system and restarts pids at pid 1.
- mnt namespace allows processes within the container to mount file systemd over existing files/directories without affecting file systems outside the namespace
- net namespace creates network devices that can have IP Addresses assigned to them, and even configure iptables rules and routing tables
- uts namespace allows you to assign a different hostname to processes within the container. Often useful with the network namespace
User namespace allows you to map real user ids on the host to container uids. For example you can map UID 5000-5100 to 0-100 within the container. This means you could have uid=0 with rights to manipulate other namespaces within the container. You could for example set the IP Address on the network namespaced ethernet device. Outside of the container your process would be treated as a non privileged process. User namespace is fairly young and people are just starting to use it.
I have put together a video showing namespaces in Red Hat Enterprise Linux 7.