Jörg Schad - NO ONE PUTS Java IN THE CONTAINER - Codemotion Milan 2017

Nobody* puts Java in a Container
@joerg_schad, Mesosphere

What is this about?

Jörg Schad
Distributed Systems Engineer,
Mesosphere
@joerg_schad

! Datacenter-wide services to power your apps
! Turnkey installation and lifecycle management
DC/OS Universe
DC/OS
Any Infrastructure
! Container operations & big data operations
! Security, fault tolerance & high availability
! Open Source (ASL2.0)
! Based on Apache Mesos
! Production proven at scale
! Requires only a modern linux distro  
(windows coming soon)
! Hybrid Datacenter
Why do I care?
Datacenter Operating System (DC/OS)
Distributed Systems Kernel (Mesos)
Big Data + Analytics EnginesMicroservices ( containers)
Streaming
Batch
Machine Learning
Analytics
Functions
& Logic Search
Time Series
SQL / NoSQL
Databases
Modern App Components
Any Infrastructure (Physical, Virtual, Cloud)

Write Once Run Any Where

Virtual Machines vs Container
Server
Host Os
Hypervisor
Guest Os
Bins/Libs
Application
Guest Os
Bins/Libs
Application 2
Server
Host Os
DockerEngine
Bins/Libs Bins/Libs
Application Application 2
Virtual Machine Container

Virtual Machines vs Container
Server
Host Os
Hypervisor
Guest Os
Bins/Libs
Application
Guest Os
Bins/Libs
Application 2
Server
Host Os
DockerEngine
Bins/Libs Bins/Libs
Application Application 2
! Weaker isolation in
container
! Container run near-native
speed CPU/IO
! Container launch in around
0.1 second (libcontainer)
! Less storage and memory
overhead
Virtual Machine Container

$ ps faux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.2 33636 2960 ? Ss Oct17 0:00 /sbin/init
...
root 12972 0.0 3.9 757236 40704 ? Ssl 01:55 0:18 /usr/bin/dockerd --raw-logs
root 12981 0.0 0.9 299096 9384 ? Ssl 01:55 0:01 _ docker-containerd -l unix:///var/run/docker/libcontainerd/docker-
root 13850 0.0 0.4 199036 4180 ? Sl 01:58 0:00 _ docker-containerd-shim 2f86cbc34/var/run/docker/l
root 13867 0.0 0.2 31752 2884 ? Ss 01:58 0:00 | _ nginx: master process nginx -g daemon off;
sshd 13889 0.0 0.1 32144 1664 ? S 01:58 0:00 | _ nginx: worker process
root 17642 0.0 0.4 199036 4188 ? Sl 11:54 0:00 _ docker-containerd-shim /var/run/docker/l
root 17661 99.2 0.0 1172 4 ? Rs 11:54 23:37 | _ md5sum /dev/urandom
root 18340 0.0 0.4 199036 4144 ? Sl 12:16 0:00 _ docker-containerd-shim 4121c64749262112b /var/run/docker/l
vagrant 18353 0.0 0.0 1164 4 ? Ss 12:16 0:00 _ sleep 1000
docker run -d nginx:1.10

Container …
!=
• container runtime* != container image != container instance
• beyond docker runtime
• Universal Container Runtime
• supports docker images
• CRI{-o}
•…

Container …
{
"id": "/springboot-demo",
"cmd": "$JAVA_HOME/bin/java -jar MyApp.jar",
"instances": 1,
"fetch": [
{
"uri": "http://…/MyApp.jar",
},
{
"uri": "https://.../jre-8u121-linux-x64.tar.gz",
}
],

Isolation

(LINUX) KERNEL
LAYER FS
CGROUPS NAMESPACES
LIBCONTAINER
DOCKER

Namespaces provide isolated views:
• pid (processes)
• net (network interfaces, routing...)
• ipc (System V IPC)
• mnt (mount points, filesystems)
• uts (hostname)
• user (UIDs)
Control groups control resources:
• cpu (CPU shares)
• cpuacct
• cpuset (limit processes to a CPU)
• memory (swap, dirty pages)
• blkio (throttle reads/writes)
• devices
• net_cls, net_prio: control packet class and
priority
• freezer
Namespaces VS. Cgroups

Control Groups

Control groups (v1)
• /sys/fs/cgroup
• Each subsystem (memory, CPU...) has a
hierarchy (tree)
• Each process belongs to exactly 1 node in
each hierarchy
• Each hierarchy starts with 1 node (the root)
• Each node = group of processes (sharing the
same resources)
cgroups V2

Memory cgroup: limits
docker run -it --rm -m 128m fedora bash
•Each group can have hard and soft limits
•Soft limits are not enforced
•Hard limits will trigger a per-group OOM killer
•No OutOfMemoryError
•Limits can be set for physical, kernel, total memory

Cpu cgroup
• Simple Accounting
• Metrics: cpuacct.stats user | system
• Limitations
• CPU Shares
• CPU Sets

CPU Shares
docker run -it --rm -c 512 stress …
• Priority Weighting across all the cores
• default 1024
• Use CFS for hard limit
sudo cgcreate -g cpu:A
sudo cgcreate -g cpu:B
cgroup A: sudo cgset -r cpu.shares=768 A 75%
cgroup B: sudo cgset -r cpu.shares=256 B 25%

CPU Sets
docker run -it -cpuset=0,4,6 stress
• Pin groups to specific CPU(s)
• Reserve CPUs for specific apps
• Avoid processes bouncing between CPUs
• Also relevant for NUMA systems

Namespaces

Namespaces
• Provide container (= process groups) with their
own view of the system
• Multiple namespaces:
– pid, net, mnt, uts, ipc, user
• Each process is in one namespace of each type

Pid namespace
• Processes within a PID namespace only see processes in the
same PID namespace
• Each PID namespace has its own numbering (starting at 1)
• When PID 1 goes away, the whole namespace is killed
ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.1 106628 31480 ? Ss 09:00 0:00 /opt/mesosphere/active/mesos/libexec/mesos/mesos-containerizer launch
root 6 0.0 0.2 776872 37712 ? Sl 09:00 0:01 mesos-executor --launcher_dir=/opt/mesosphere/active/mesos/libexec/mesos --
sandbox_directory=/m
root 16 0.0 0.0 4512 792 ? Ss 09:00 0:00 sh -c sleep 100000
root 17 0.0 0.0 4384 664 ? S 09:00 0:00 sleep 100000
root 264 0.2 0.1 106492 31016 ? Ss 09:32 0:00 /opt/mesosphere/active/mesos/libexec/mesos/mesos-containerizer launch
root 265 0.0 0.0 18240 3316 ? S 09:32 0:00 /bin/bash
root 276 0.0 0.0 34428 2872 ? R+ 09:33 0:00 ps aux

Lets Talk Java

Java
Java Language + Java Specification + Java Runtime

Java Memory Impact
• Native JRE
• Heap
• Perm / meta
• JIT bytecode
• JNI
• NIO
• Threads
2* Heap

From Perm to Metaspace

JRE default initializations
• Based on core count*
• JIT compiler threads
• HotSpot thresholds and optimizations
• Default # threads for GC
• Number of thread in the common fork-join pool
• …

Bring it together!

Java meets Container
• Development
• Java App packaged in a container

Java meets Container
• Development
• Java App packaged in a container
• Production
• 10 JVM container on a 32 core box
– 10 * (32 cores are seen by each JRE)
– 10 * (32 threads set by default for ForkJoinPool)
– 10 * (32 threads ….)

Java meets Cgroups
https://cloakable.irdeto.com/2017/08/24/java-is-a-first-class-citizen-in-a-docker-ecosystem-now/

Where Java retrieve the core count?
• JDK 7/8 - resources from sysconf
sysconf(_SC_NPROCESSORS_ONLN);
• JDK 9 - sched_getaffinity
–accounts for cpusets

Java with CPU Set
docker run -ti --cpuset=0,4,6 …
• CPUSET
–pin to specific CPUs
• Runtime.getRuntime().availableProcessors(); ==
# cores assigned*

Java with CPU Share
docker run -ti -c 512 …
• CPU Share
–Priority Weighting across all the cores
–Runtime.getRuntime().availableProcessors(); ==
# cores on node

How about memory?
• /proc/meminfo
• /proc/vmstat
• /proc/PID/smaps

But… Java 9

Java 9
• CPU
• Considers CPU sets
• Not aware of CPU shares…
• Memory
• -XX:+UseCGroupMemoryLimitForHeap
• -XX:+UnlockExperimentalVMOptions

The two sides of container…
Kirk Pepperdine
• “The good thing about docker containers (and some
other like containers) is that they don’t hide the
underlying hardware from processes like VM
technology does.”
• “The bad thing about docker containers (and some other
like containers) is that they don’t hide the underlying
hardware from processes like VM technology does.”

Thank You!
Learn more by visiting dcos.io and mesosphere.com
P.S.
https://developers.redhat.com/blog/2017/04/04/openjdk-and-containers/

Jörg Schad - NO ONE PUTS Java IN THE CONTAINER - Codemotion Milan 2017

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Jörg Schad - NO ONE PUTS Java IN THE CONTAINER - Codemotion Milan 2017 (20)

More from Codemotion (20)

Recently uploaded (20)

Jörg Schad - NO ONE PUTS Java IN THE CONTAINER - Codemotion Milan 2017