Container-Based OS Virtualization

A Closer Look into OpenVZ's Inner Workings

Now that we have given a clear overview of containers in general, it is time to move on to the more technical stuff, namely figuring out how they do in fact work. As stated before, most of our research into the subject has gone into OpenVZ, but we feel the actual subjects tackled here do a great job of illustrating the challenges faced by any developer of container-based solutions.

To gain a full understanding of how the partitioning of an operating system takes place, it is important to grasp the basics of how an OS operates. Since entire books have been written on that subject alone, and it is mostly outside the scope of this article, we'll direct those new to the subject to page 2 of Johan's article on hypervisors and their inner workings.

For now, it is important to know that in our modern day x86 architecture, there are two modes a process can run in, namely a privileged kernel mode and a user mode. The CPU is able to distinguish between these two modes by each process' assigned memory addresses, where a 2-bit code makes the difference between kernel space addresses and user space addresses. The reason they are called addresses is because each of them points to a specific piece of memory. These pieces are generally called "pages"; they're the smallest unit of memory allocation an operating system can use, and in x86 systems they are usually blocks of 4kB each.

In this picture, we can see the RAM as divided into pages. The memory addresses all have a 2-bit code (11 or 00), so the CPU can tell user and kernel pages apart.

The above description introduces two important factors.

1. Since containers all share the same kernel, kernel mode processes are not isolated but run outside the containers themselves. Therefore, containers are to be used only for isolation of applications running in the user space.
   
2. We raise the issue of memory management. Evidently, a single OS has an elaborate system in place for this, but how is it approached in a partitioned OS? In short, how do we prevent one container from using up all resources needed to support another?

OpenVZ has implemented a system called beancounters to address these factors. In the following pages, we'll have a look at how this and other methods are combined to achieve isolation and efficient resource management.