Containers under the hood

Containers and Images

Namespaces and Cgroups

Scenarios

Container and Image

• Image

  • Built from dockerfile - script/text defining how to build the image

  • multi layer binary representation of state

  • run or push to repo

• Container

  • collection of one or multiple applications

  • includes all its dependencies

  • just a process which runs on the linux kernel

    • but which can not see everything

  • Kernel vs user space

  • Kernal space

    • linux kernal

    • syscall interface

  • user space

    • applications

    • libraries

Namspaces

• linux kernal namespaces

  • namespaces isolate processes

  • containers are simply processes on a linux kernal that needs isolation groups

  • PID

    • isolates processes from each other

    • one process cannot see others

    • process IDs with the same ID can exist multiple times, once in every namespace

  • Mount

    • restrict access to mounts or root filesystem

  • Network

    • Only access to certain network devices

    • firewall & routing rules & socket ports

    • not able to see all traffic or contact all endpoints

  • User

    • different set of user ids used

    • User (0) inside one namespace can be different from user (0) in other namespaces

    • don't use the host-root user (0) inside a container

Kernel isolation

• namespaces

  • restrict what processes are visible

    • other processes

    • users

    • filesystem

• cgroups - restrict resources

  • ram

  • disk

  • cpu

Container tools

• Take a look at docker, containerd, crictl, and podman

• Docker

  • container runtime + tool for managing containers and images

• containerd

  • container runtime

• crictl

  • cli for cri-comptabile container runtimes

• podman

  • tool for managing containers and images

Creating an Image

• create a new docker image by creating a new dockerfile

• Example

  • vim Dockerfile

    • enter contents

FROM bash
CMD ["ping","killer.sh"]

• save the contents