Saturday, May 30, 2015

The Relativity of Wrong By Isaac Asimov

I RECEIVED a letter the other day. It was handwritten in crabbed penmanship so that it was very difficult to read. Nevertheless, I tried to make it out just in case it might prove to be important. In the first sentence, the writer told me he was majoring in English literature, but felt he needed to teach me science. (I sighed a bit, for I knew very few English Lit majors who are equipped to teach me science, but I am very aware of the vast state of my ignorance and I am prepared to learn as much as I can from anyone, so I read on.)

It seemed that in one of my innumerable essays, I had expressed a certain gladness at living in a century in which we finally got the basis of the universe straight.

I didn't go into detail in the matter, but what I meant was that we now know the basic rules governing the universe, together with the gravitational interrelationships of its gross components, as shown in the theory of relativity worked out between 1905 and 1916. We also know the basic rules governing the subatomic particles and their interrelationships, since these are very neatly described by the quantum theory worked out between 1900 and 1930. What's more, we have found that the galaxies and clusters of galaxies are the basic units of the physical universe, as discovered between 1920 and 1930.

These are all twentieth-century discoveries, you see.

The young specialist in English Lit, having quoted me, went on to lecture me severely on the fact that in every century people have thought they understood the universe at last, and in every century they were proved to be wrong. It follows that the one thing we can say about our modern "knowledge" is that it is wrong. The young man then quoted with approval what Socrates had said on learning that the Delphic oracle had proclaimed him the wisest man in Greece. "If I am the wisest man," said Socrates, "it is because I alone know that I know nothing." the implication was that I was very foolish because I was under the impression I knew a great deal.

My answer to him was, "John, when people thought the earth was flat, they were wrong. When people thought the earth was spherical, they were wrong. But if you think that thinking the earth is spherical is just as wrong as thinking the earth is flat, then your view is wronger than both of them put together."

The basic trouble, you see, is that people think that "right" and "wrong" are absolute; that everything that isn't perfectly and completely right is totally and equally wrong.

However, I don't think that's so. It seems to me that right and wrong are fuzzy concepts, and I will devote this essay to an explanation of why I think so.

When my friend the English literature expert tells me that in every century scientists think they have worked out the universe and are always wrong, what I want to know is how wrong are they? Are they always wrong to the same degree? Let's take an example.

In the early days of civilization, the general feeling was that the earth was flat. This was not because people were stupid, or because they were intent on believing silly things. They felt it was flat on the basis of sound evidence. It was not just a matter of "That's how it looks," because the earth does not look flat. It looks chaotically bumpy, with hills, valleys, ravines, cliffs, and so on.

Of course there are plains where, over limited areas, the earth's surface does look fairly flat. One of those plains is in the Tigris-Euphrates area, where the first historical civilization (one with writing) developed, that of the Sumerians.

Perhaps it was the appearance of the plain that persuaded the clever Sumerians to accept the generalization that the earth was flat; that if you somehow evened out all the elevations and depressions, you would be left with flatness. Contributing to the notion may have been the fact that stretches of water (ponds and lakes) looked pretty flat on quiet days.

Another way of looking at it is to ask what is the "curvature" of the earth's surface Over a considerable length, how much does the surface deviate (on the average) from perfect flatness. The flat-earth theory would make it seem that the surface doesn't deviate from flatness at all, that its curvature is 0 to the mile.

Nowadays, of course, we are taught that the flat-earth theory is wrong; that it is all wrong, terribly wrong, absolutely. But it isn't. The curvature of the earth is nearly 0 per mile, so that although the flat-earth theory is wrong, it happens to be nearly right. That's why the theory lasted so long.

There were reasons, to be sure, to find the flat-earth theory unsatisfactory and, about 350 B.C., the Greek philosopher Aristotle summarized them. First, certain stars disappeared beyond the Southern Hemisphere as one traveled north, and beyond the Northern Hemisphere as one traveled south. Second, the earth's shadow on the moon during a lunar eclipse was always the arc of a circle. Third, here on the earth itself, ships disappeared beyond the horizon hull-first in whatever direction they were traveling.

All three observations could not be reasonably explained if the earth's surface were flat, but could be explained by assuming the earth to be a sphere.

What's more, Aristotle believed that all solid matter tended to move toward a common center, and if solid matter did this, it would end up as a sphere. A given volume of matter is, on the average, closer to a common center if it is a sphere than if it is any other shape whatever.

About a century after Aristotle, the Greek philosopher Eratosthenes noted that the sun cast a shadow of different lengths at different latitudes (all the shadows would be the same length if the earth's surface were flat). From the difference in shadow length, he calculated the size of the earthly sphere and it turned out to be 25,000 miles in circumference.

The curvature of such a sphere is about 0.000126 per mile, a quantity very close to 0 per mile, as you can see, and one not easily measured by the techniques at the disposal of the ancients. The tiny difference between 0 and 0.000126 accounts for the fact that it took so long to pass from the flat earth to the spherical earth.

Mind you, even a tiny difference, such as that between 0 and 0.000126, can be extremely important. That difference mounts up. The earth cannot be mapped over large areas with any accuracy at all if the difference isn't taken into account and if the earth isn't considered a sphere rather than a flat surface. Long ocean voyages can't be undertaken with any reasonable way of locating one's own position in the ocean unless the earth is considered spherical rather than flat.

Furthermore, the flat earth presupposes the possibility of an infinite earth, or of the existence of an "end" to the surface. The spherical earth, however, postulates an earth that is both endless and yet finite, and it is the latter postulate that is consistent with all later findings.

So, although the flat-earth theory is only slightly wrong and is a credit to its inventors, all things considered, it is wrong enough to be discarded in favor of the spherical-earth theory.

And yet is the earth a sphere?

No, it is not a sphere; not in the strict mathematical sense. A sphere has certain mathematical properties - for instance, all diameters (that is, all straight lines that pass from one point on its surface, through the center, to another point on its surface) have the same length.

That, however, is not true of the earth. Various diameters of the earth differ in length.

What gave people the notion the earth wasn't a true sphere? To begin with, the sun and the moon have outlines that are perfect circles within the limits of measurement in the early days of the telescope. This is consistent with the supposition that the sun and the moon are perfectly spherical in shape.

However, when Jupiter and Saturn were observed by the first telescopic observers, it became quickly apparent that the outlines of those planets were not circles, but distinct ellipses. That meant that Jupiter and Saturn were not true spheres.

Isaac Newton, toward the end of the seventeenth century, showed that a massive body would form a sphere under the pull of gravitational forces (exactly as Aristotle had argued), but only if it were not rotating. If it were rotating, a centrifugal effect would be set up that would lift the body's substance against gravity, and this effect would be greater the closer to the equator you progressed. The effect would also be greater the more rapidly a spherical object rotated, and Jupiter and Saturn rotated very rapidly indeed.

The earth rotated much more slowly than Jupiter or Saturn so the effect should be smaller, but it should still be there. Actual measurements of the curvature of the earth were carried out in the eighteenth century and Newton was proved correct.

The earth has an equatorial bulge, in other words. It is flattened at the poles. It is an "oblate spheroid" rather than a sphere. This means that the various diameters of the earth differ in length. The longest diameters are any of those that stretch from one point on the equator to an opposite point on the equator. This "equatorial diameter" is 12,755 kilometers (7,927 miles). The shortest diameter is from the North Pole to the South Pole and this "polar diameter" is 12,711 kilometers (7,900 miles).

The difference between the longest and shortest diameters is 44 kilometers (27 miles), and that means that the "oblateness" of the earth (its departure from true sphericity) is 44/12755, or 0.0034. This amounts to l/3 of 1 percent.

To put it another way, on a flat surface, curvature is 0 per mile everywhere. On the earth's spherical surface, curvature is 0.000126 per mile everywhere (or 8 inches per mile). On the earth's oblate spheroidal surface, the curvature varies from 7.973 inches to the mile to 8.027 inches to the mile.

The correction in going from spherical to oblate spheroidal is much smaller than going from flat to spherical. Therefore, although the notion of the earth as a sphere is wrong, strictly speaking, it is not as wrong as the notion of the earth as flat.

Even the oblate-spheroidal notion of the earth is wrong, strictly speaking. In 1958, when the satellite Vanguard I was put into orbit about the earth, it was able to measure the local gravitational pull of the earth--and therefore its shape--with unprecedented precision. It turned out that the equatorial bulge south of the equator was slightly bulgier than the bulge north of the equator, and that the South Pole sea level was slightly nearer the center of the earth than the North Pole sea level was.

There seemed no other way of describing this than by saying the earth was pear-shaped, and at once many people decided that the earth was nothing like a sphere but was shaped like a Bartlett pear dangling in space. Actually, the pear-like deviation from oblate-spheroid perfect was a matter of yards rather than miles, and the adjustment of curvature was in the millionths of an inch per mile.

In short, my English Lit friend, living in a mental world of absolute rights and wrongs, may be imagining that because all theories are wrong, the earth may be thought spherical now, but cubical next century, and a hollow icosahedron the next, and a doughnut shape the one after.

What actually happens is that once scientists get hold of a good concept they gradually refine and extend it with greater and greater subtlety as their instruments of measurement improve. Theories are not so much wrong as incomplete.

This can be pointed out in many cases other than just the shape of the earth. Even when a new theory seems to represent a revolution, it usually arises out of small refinements. If something more than a small refinement were needed, then the old theory would never have endured.

Copernicus switched from an earth-centered planetary system to a sun-centered one. In doing so, he switched from something that was obvious to something that was apparently ridiculous. However, it was a matter of finding better ways of calculating the motion of the planets in the sky, and eventually the geocentric theory was just left behind. It was precisely because the old theory gave results that were fairly good by the measurement standards of the time that kept it in being so long.

Again, it is because the geological formations of the earth change so slowly and the living things upon it evolve so slowly that it seemed reasonable at first to suppose that there was no change and that the earth and life always existed as they do today. If that were so, it would make no difference whether the earth and life were billions of years old or thousands. Thousands were easier to grasp.

But when careful observation showed that the earth and life were changing at a rate that was very tiny but not zero, then it became clear that the earth and life had to be very old. Modern geology came into being, and so did the notion of biological evolution.

If the rate of change were more rapid, geology and evolution would have reached their modern state in ancient times. It is only because the difference between the rate of change in a static universe and the rate of change in an evolutionary one is that between zero and very nearly zero that the creationists can continue propagating their folly.

Since the refinements in theory grow smaller and smaller, even quite ancient theories must have been sufficiently right to allow advances to be made; advances that were not wiped out by subsequent refinements.

The Greeks introduced the notion of latitude and longitude, for instance, and made reasonable maps of the Mediterranean basin even without taking sphericity into account, and we still use latitude and longitude today.

The Sumerians were probably the first to establish the principle that planetary movements in the sky exhibit regularity and can be predicted, and they proceeded to work out ways of doing so even though they assumed the earth to be the center of the universe. Their measurements have been enormously refined but the principle remains.

Naturally, the theories we now have might be considered wrong in the simplistic sense of my English Lit correspondent, but in a much truer and subtler sense, they need only be considered incomplete.

from lizard's ghost

Thursday, May 28, 2015

my wait is finally over i think

from lizard's ghost

Friday, May 22, 2015

help! what is this token it just revoked?

05-22 07:50:37.070 D/Trebuchet.LauncherModel(3001): DbDebug Add item (FortiClient VPN) to db, id: 170 (-100, 4, 1, 2)
05-22 07:50:48.150 D/Trebuchet.LauncherModel(3001): DbDebug Delete item (FortiClient VPN) from db, id: 102 (-100, 3, 0, 2)
05-22 07:50:50.510 I/ActivityManager(2383): START u0 {act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10200000 cmp=com.fortinet.forticlientvpn/.start.StartActivity bnds=[192,551][352,751]} from pid 3001
05-22 07:50:50.720 I/ActivityManager(2383): START u0 {cmp=com.fortinet.forticlient
vpn/forticlient.main.main.MainActivity} from pid 30229
05-22 07:50:50.725 W/ActivityManager(2383): Duplicate finish request for ActivityRecord{42177de0 u0 com.fortinet.forticlientvpn/.start.StartActivity}
05-22 07:50:52.985 D/FortiClient(30229): Connecting: cxrus sg
05-22 07:50:52.995 I/PebbleNotificationCenter(3351): [JellybeanNotificationListener] Processing notification com.fortinet.forticlient
vpn 123 null
05-22 07:50:53.110 I/PebbleNotificationCenter(3351): [JellybeanNotificationListener] Processing notification com.fortinet.forticlientvpn 123 null
05-22 07:50:54.690 D/FortiClient(30229): Connecting: cxrus sg
05-22 07:50:54.720 I/PebbleNotificationCenter(3351): [JellybeanNotificationListener] Processing notification com.fortinet.forticlient
vpn 123 null
05-22 07:50:56.450 D/FortiClient(30229): FortiToken needed: FortiToken needed
05-22 07:50:56.475 I/PebbleNotificationCenter(3351): [JellybeanNotificationListener] Processing notification com.fortinet.forticlientvpn 123 null
05-22 07:50:56.475 I/ActivityManager(2383): START u0 {flg=0x50800000 cmp=com.fortinet.forticlient
vpn/forticlient.fortitoken.InputTokenActivity} from pid 30229
05-22 07:50:56.785 I/ActivityManager(2383): Displayed com.fortinet.forticlientvpn/forticlient.fortitoken.InputTokenActivity: +152ms (total +6s111ms)
05-22 07:51:11.875 E/FortiClient(30229): Revoked by Android: REBOOT!
05-22 07:51:11.875 D/FortiClient(30229): Connection failed: Revoked by Android: REBOOT!
05-22 07:51:11.885 I/PebbleNotificationCenter(3351): [JellybeanNotificationListener] Processing notification com.fortinet.forticlient
vpn 123 null
05-22 07:51:12.720 D/PebbleNotificationCenter(3351): [NotificationListenerService$INotificationListenerWrapper] Got jellybean dismiss com.fortinet.forticlientvpn 123 null
05-22 07:51:12.720 D/PebbleNotificationCenter(3351): [DismissUpwardsModule] got dismiss: com.fortinet.forticlient
vpn 123 null
05-22 07:51:14.450 D/FortiClient(30229): Connecting: cxrus sg
05-22 07:51:14.460 I/PebbleNotificationCenter(3351): [JellybeanNotificationListener] Processing notification com.fortinet.forticlientvpn 123 null
05-22 07:51:14.565 I/PebbleNotificationCenter(3351): [JellybeanNotificationListener] Processing notification com.fortinet.forticlient
vpn 123 null
05-22 07:51:16.115 D/FortiClient(30229): Connecting: cxrus sg
05-22 07:51:16.145 I/PebbleNotificationCenter(3351): [JellybeanNotificationListener] Processing notification com.fortinet.forticlientvpn 123 null
05-22 07:51:18.055 D/FortiClient(30229): FortiToken needed: FortiToken needed
05-22 07:51:18.075 I/ActivityManager(2383): START u0 {flg=0x50800000 cmp=com.fortinet.forticlient
vpn/forticlient.fortitoken.InputTokenActivity} from pid 30229
05-22 07:51:18.080 I/PebbleNotificationCenter(3351): [JellybeanNotificationListener] Processing notification com.fortinet.forticlientvpn 123 null
05-22 07:51:18.450 W/WindowManager(2383): This window was lost: Window{427c6970 u0 com.fortinet.forticlient
vpn/forticlient.fortitoken.InputTokenActivity EXITING}
05-22 07:51:18.450 W/WindowManager(2383): mOwnerUid=10122 mShowToOwnerOnly=true package=com.fortinet.forticlientvpn appop=NONE
05-22 07:51:18.450 W/WindowManager(2383): mToken=AppWindowToken{435596a0 token=Token{41ebdc08 ActivityRecord{4247c3e8 u0 com.fortinet.forticlient
05-22 07:51:18.450 W/WindowManager(2383): mRootToken=AppWindowToken{435596a0 token=Token{41ebdc08 ActivityRecord{4247c3e8 u0 com.fortinet.forticlientvpn/forticlient.fortitoken.InputTokenActivity}}}
05-22 07:51:18.450 W/WindowManager(2383): mAppToken=AppWindowToken{435596a0 token=Token{41ebdc08 ActivityRecord{4247c3e8 u0 com.fortinet.forticlient
05-22 07:51:18.450 W/WindowManager(2383): WindowStateAnimator{42514a88 com.fortinet.forticlientvpn/forticlient.fortitoken.InputTokenActivity}:
05-22 07:51:18.450 W/WindowManager(2383): mSurface=Surface(name=com.fortinet.forticlient
05-22 07:51:18.450 V/WindowManager(2383): #9: Token{41bc58a0 ActivityRecord{424a0910 u0 com.fortinet.forticlientvpn/forticlient.fortitoken.InputTokenActivity}}
05-22 07:51:18.450 V/WindowManager(2383): #8: Token{425eea38 ActivityRecord{41b64f38 u0 com.fortinet.forticlient
05-22 07:51:18.450 V/WindowManager(2383): #3: Window{42aa6f30 u0 com.fortinet.forticlientvpn/forticlient.fortitoken.InputTokenActivity}
05-22 07:51:18.450 V/WindowManager(2383): #4: Window{42a07828 u0 com.fortinet.forticlient
05-22 07:51:18.450 V/WindowManager(2383): #5: Window{42371860 u0 com.fortinet.forticlientvpn/forticlient.main.main.MainActivity}
05-22 07:51:18.455 I/ActivityManager(2383): Displayed com.fortinet.forticlient
vpn/forticlient.fortitoken.InputTokenActivity: +121ms
05-22 07:51:24.245 E/FortiClient(30229): Revoked by Android: REBOOT!
05-22 07:51:24.250 D/FortiClient(30229): Connection failed: Revoked by Android: REBOOT!
05-22 07:51:24.275 I/PebbleNotificationCenter(3351): [JellybeanNotificationListener] Processing notification com.fortinet.forticlientvpn 123 null
05-22 07:51:25.050 D/PebbleNotificationCenter(3351): [NotificationListenerService$INotificationListenerWrapper] Got jellybean dismiss com.fortinet.forticlient
vpn 123 null
05-22 07:51:25.050 D/PebbleNotificationCenter(3351): [DismissUpwardsModule] got dismiss: com.fortinet.forticlientvpn 123 null
05-22 07:51:25.155 W/WindowManager(2383): This window was lost: Window{42aa6f30 u0 com.fortinet.forticlient
vpn/forticlient.fortitoken.InputTokenActivity EXITING}
05-22 07:51:25.155 W/WindowManager(2383): mOwnerUid=10122 mShowToOwnerOnly=true package=com.fortinet.forticlientvpn appop=NONE
05-22 07:51:25.155 W/WindowManager(2383): mToken=AppWindowToken{42ffabc8 token=Token{41bc58a0 ActivityRecord{424a0910 u0 com.fortinet.forticlient
05-22 07:51:25.155 W/WindowManager(2383): mRootToken=AppWindowToken{42ffabc8 token=Token{41bc58a0 ActivityRecord{424a0910 u0 com.fortinet.forticlientvpn/forticlient.fortitoken.InputTokenActivity}}}
05-22 07:51:25.155 W/WindowManager(2383): mAppToken=AppWindowToken{42ffabc8 token=Token{41bc58a0 ActivityRecord{424a0910 u0 com.fortinet.forticlient
05-22 07:51:25.155 W/WindowManager(2383): WindowStateAnimator{43686090 com.fortinet.forticlientvpn/forticlient.fortitoken.InputTokenActivity}:
05-22 07:51:25.155 W/WindowManager(2383): mSurface=Surface(name=com.fortinet.forticlient
05-22 07:51:25.155 V/WindowManager(2383): #7: Token{425eea38 ActivityRecord{41b64f38 u0 com.fortinet.forticlientvpn/forticlient.main.main.MainActivity}}
05-22 07:51:25.155 V/WindowManager(2383): #5: Window{42371860 u0 com.fortinet.forticlient

from lizard's ghost

Thursday, May 21, 2015


Is my perception of truth so awful I cannot share it with anyone else? How shall I answer people? Do I have to think “how do u want me to lie to u now?” all the time? Everything I espouse is a mere opinion, every prediction is a mere guess, everything else is only a figment of my imagination, my estimation of reality that might totally have no link whatsoever with yours or anyone else’s. is that so difficult to grasp? Am I delusional? Are u?

from lizard's ghost

Wednesday, May 20, 2015

Containers are hot. Everyone loves them. Developers love the ease of creating a "bundle" of something that users can consume; DevOps and information-technology departments love the ease of management and deployment. To a large degree, containers entered the spotlight when Docker changed the application-development industry on the server side in a way that resembles how the iPhone changed the client application landscape.
The word "container" is not just used for applications, though; it is also used to describe a technology that can run a piece of software in an isolated way. Such containers are about using control groups to manage resources and kernel namespaces to limit the visibility and reach of your container app. For the typical LWN reader, this is likely what one thinks about when encountering the word "container."

Many people who advocate for containers start by saying that virtual machines are expensive and slow to start, and that containers provide a more efficient alternative. The usual counterpoint is about how secure kernel containers really are against adversarial users with an arsenal of exploits in their pockets. Reasonable people can argue for hours on this topic, but the reality is that quite a few potential users of containers see this as a showstopper. There are many efforts underway to improve the security of containers and namespaces in both open-source projects and startup companies.

We (the Intel Clear Containers group) are taking a little bit of a different tack on the security of containers by going back to the basic question: how expensive is virtual-machine technology, really? Performance in this regard is primarily measured using two metrics: startup time and memory overhead. The first is about how quickly your data center can respond to an incoming request (say a user logs into your email system); the second is about how many containers you can pack on a single server.

We set out to build a system (which we call "Clear Containers") where one can use the isolation of virtual-machine technology along with the deployment benefits of containers. As part of this, we let go of the "machine" notion traditionally associated with virtual machines; we're not going to pretend to be a standard PC that is compatible with just about any OS on the planet.

To provide a preview of the results: we can launch such a secured container that uses virtualization technology in under 150 milliseconds, and the per-container memory overhead is roughly 18 to 20MB (this means you can run over 3500 of these on a server with 128GB of RAM). While this is not quite as fast as the fastest Docker startup using kernel namespaces, for many applications this is likely going to be good enough. And we aren't finished optimizing yet.

So how did we do this?


With KVM as the hypervisor of choice, we looked at the QEMU layer. QEMU is great for running Windows or legacy Linux guests, but that flexibility comes at a hefty price. Not only does all of the emulation consume memory, it also requires some form of low-level firmware in the guest as well. All of this adds quite a bit to virtual-machine startup times (500 to 700 milliseconds is not unusual).

However, we have the kvmtool mini-hypervisor at our disposal (LWN has covered kvmtool in the past). With kvmtool, we no longer need a BIOS or UEFI; instead we can jump directly into the Linux kernel. Kvmtool is not cost-free, of course; starting kvmtool and creating the CPU contexts takes approximately 30 milliseconds. We have enhanced kvmtool to support execute-in-place on the kernel to avoid having to decompress the kernel image; we just mmap() the vmlinux file and jump into it, saving both memory and time.


A Linux kernel boots pretty fast. On a real machine, most of the boot time in the kernel is spent initializing some piece of hardware. However, in a virtual machine, none of these hardware delays are there—it's all fake, after all—and, in practice, one uses only the virtio class of devices that are pretty much free to set up. We had to optimize away a few early-boot CPU initialization delays; but otherwise, booting a kernel in a virtual-machine context takes about 32 milliseconds, with a lot of room left for optimization.

We also had to fix several bugs in the kernel. Some fixes are upstream already and others will go upstream in the coming weeks.

User space

In 2008 we talked about the 5-second boot at the Plumbers Conference, and, since then, many things have changed—with systemd being at the top of the list. Systemd makes it trivial to create a user space environment that boots quickly. I would love to write a long essay here about how we had to optimize user space, but the reality is—with some minor tweaks and just putting the OS together properly—user space boots pretty quickly (less than 75 milliseconds) already. (When recording bootcharts at high resolution sampling, it's a little more, but that's all measurement overhead.)

Memory consumption

A key feature to help with memory consumption is DAX, which the 4.0 kernel now supports in the ext4 filesystem. If your storage is visible as regular memory to the host CPU, DAX enables the system to do execute-in-place of files stored there. In other words, when using DAX, you bypass the page cache and virtual-memory subsystem completely. For applications that use mmap(), this means a true zero-copy approach, and for code that uses the read() system call (or equivalent) you will have only one copy of the data. DAX was originally designed for fast flash-like storage that shows up as memory to the CPU; but in a virtual-machine environment, this type of storage is easy to emulate. All we need to do on the host is map the disk image file into the guest's physical memory, and use a small device driver in the guest kernel that exposes this memory region to the kernel as a DAX-ready block device.

What this DAX solution provides is a zero-copy, no-memory-cost solution for getting all operating-system code and data into the guest's user space. In addition, when the MAPPRIVATE flag is used in the hypervisor, the storage becomes copy-on-write for free; writes in the guest to the filesystem are not persistent, so they will go away when the guest container terminates. This MAPPRIVATE solution makes it trivial to share the same disk image between all the containers, and also means that even if one container is compromised and mucks with the operating-system image, these changes do not persist in future containers.

A second key feature to reduce memory cost is kernel same-page merging (KSM) on the host. KSM is a way to deduplicate memory within and between processes and KVM guests.

Finally, we optimized our core user space for minimal memory consumption. This mostly consists of calling the glibc malloc_trim() function at the end of the initialization of resident daemons, causing them to give back to the kernel any malloc() buffers that glibc held onto. Glibc by default implements a type of hysteresis where it holds on to some amount of freed memory as an optimization in case memory is needed again soon.

Next steps

We have this working as a proof of concept with rkt (implementing the appc spec that LWN wrote about recently). Once this work is a bit more mature, we will investigate adding support into Docker as well. More information on how to get started and get code can be found at, which we will update as we make progress with our integration and optimization efforts.

from lizard's ghost

Tuesday, May 19, 2015

on kubernetes

The initial value of containers is really that you can run it on your laptop and then you deploy the same thing in the cloud. That is great thing and Docker did a particularly great job on that, but what do you do then? Kubernetes answers that question, which is you run a fleet of containers where you have a controlled way to upgrade them, you have a controlled way to send them traffic, you can scale a service in terms of the number of containers that are included in running it, so that you can increase capacity as your load goes up.

from lizard's ghost

Saturday, May 09, 2015


I think that I shall never seea graph more lovely than a tree.
A tree whose crucial propertyis loop-free connectivity.
A tree that must be sure to spanso packets can reach every LAN.
First, the root must be selected.
By ID, it is elected.
Least-cost paths from root are traced.
In the tree, these paths are placed.
A mesh is made by folks like me,
then bridges find a spanning tree.

from lizard's ghost

Thursday, May 07, 2015

i dunno what its about but i think its lovely

from lizard's ghost