ubuntu安装tomcat_在Hyper-V上安装RHEL8以及浅析Container Runtime

2020-04-05

在Hyper-V上安装RHEL8

为了更加详尽地了解podman/buildha/skopeo/runc等RedHat用来替代Docker Container Engine的container工具集，我决定在我的windows hyper-v上安装一个RHEL8。公司发的win10不能加入windows insider plan，所以暂时安装不了WSL2，目前只有通过vm的方式获得完整的linux系统。我自己有一台装了ubuntu的机器，也可以安装podman等工具，但是RHEL8是刚推出不久的新版本，而且default自带了podman/buildha/skopeo/runc，我觉得有必要装这么一个系统研究研究。

installation guide

BUILDING, RUNNING, AND MANAGING CONTAINERS ON RHEL8

引用其中的2句话：

they are especially suited to run directly on Red Hat Enterprise Linux, in single-node use cases
Instead of relying on the single-node, daemonless tools described in this document, OpenShift requires a daemon-based container engine. Please see Using the CRI-O Container Engine for details.

由此可见，对于container的building/running/managing，RedHat的解决方案是单机版podman/buildha/skopeo/runc的组合，集群的话就是Openshift以及Openshift中使用的CRI-O。而runc作为low-level container runtime，两种情况中都包含了runc(CRI-O中底层的实现也是交给了runc)。而runc正是Docker公司开源的项目，所以Docker的贡献还是非常大的。

浅析Container Runtime

文章1：Architecting Containers Part 2: Why the User Space Matters

这篇文章是昨天介绍的文章的后续，对于VM和Container的原理和应用做了比较详细的比较和分析。

A virtual machine is a convenient way of packaging up virtual hardware, a kernel, and a user space. A container, on the other hand, packages up only the user space; there is no kernel or virtual hardware.

Virtual Machines vs. Containers

我觉得这句话总结的非常准确和专业了。Container里面没有kernel，kernel是被抽象的对象。所以Container可以做到非常的轻量，image文件大小适中，启动速度快。这张图画的也很到位，虚拟化和容器化中架构的整体组成部分是一致的，但是抽象的范围不同，虚拟化中被抽象的是硬件(Hypervisor)，而容器化中被抽象的是硬件+操作系统(Hypervisor+Kernel Space)。所以Container Runtime就应该是在抽象出来的Kernel Space上运行和管理容器咯？看看下一篇文章能不能给出解释。

另外，Openshift既可以部署到Baremetal物理机，也可以部署到Cloud环境也就是VM上。部署到VM的时候，上面这张图是不是就应该这样画了？这样似乎就可以理解为什么Openshift4里面要把OS换成CoreOS，以及用CRI-O替换Docker Engine了，这就是要把Virtualization和Containerization完完全全至于RedHat的控制之下，从而可以按照RedHat自己的节奏去开发升级整个产品线。

virtualization, containerization, openshift4

When a container is first instantiated, the user space of the container host makes system calls into the kernel to create special data structures in the kernel ( cgroups, svirt, namespaces).

cgroups, svirt, namespaces都是linux kernel的特性，也是container依赖的操作系统底层功能，这也就解释了为什么在container的世界里都是linux。

The user space matters because it is the focus of most developers and architects. Whether developing Ruby on Rails applications, Java, or PHP PECL modules that require underlying C libraries - containers are a convenient way of packing up and shipping around an application and all of its user space dependencies. The user space also matters because this is what provides all of the tooling to interact with container images, to build new images, and to instantiate new containers.
Whether developing and deploying traditional applications or a modern microservices architecture, focusing on the container image (user space) as the currency for collaboration grants everyone from developers and systems administrators to architects and release engineers more flexibility and the ability to be more efficient.

这一段总结也写得很到位，特别是指出了user space中还包括用来和容器交互的工具部分，这个应该也是container runtime的重要组成部分。把操作系统的自由度/选择性牺牲掉，统一利用cgroups, namespaces抽象为Linux Kernel，从而实现更好的灵活性和更高的效率。举例说就是只要Tomcat能启动，具体是linux上启动还是windows上启动并不重要。

文章2：Container Runtimes Part 1: An Introduction to Container Runtimes

这篇文章又是一个有关Container Runtime系列文章的第一篇。看来Container Runtime确实挺复杂的，复杂到用一篇文章的篇幅都不能把事情解释清楚了。

container runtimes

So for practical purposes, actual container runtimes that focus on just running containers are usually referred to as "low-level container runtimes". Runtimes that support more high-level features, like image management and gRPC/Web APIs, are usually referred to as "high-level container tools", "high-level container runtimes" or usually just "container runtimes". I'll refer to them as "high-level container runtimes". It's important to note that low-level runtimes and high-level runtimes are fundamentally different things that solve different problems.

复杂的原因看来就是container runtime的含义比较宽泛，对应的产品也比较多，所以同样都叫做container runtime但是做的事情很可能非常不同，这就造成了概念和沟通上的混乱。Low Level的runtime主要就是负责初始化cgroups, namespace来运行containers，而High Level的runtime主要就是提供必要的Tools给developer来操作containers，High Level的runtime也要依赖Low Level runtime来实现具体的功能，就像cri-o需要依赖runc一样。而我们常用的Docker Desktop就是一个包含了Low Level和High Level所有部分的monolith架构，而RHEL8和Openshift中则采用了更加灵活的架构方式。