The document discusses isolating processes without containers, focusing on concepts such as namespaces and control groups (cgroups) that manage resources like memory and CPU. It covers historical developments, technical details about namespaces since Linux kernel 2.6.23, and the advantages of using technologies like ZFS. Various resources and demos are provided for further exploration of these topics.

1. Let’s isolate a
process with no
container.

2. Let’s isolate a
process with no
container.
Readable example with code and explanation:
welcometothebundle.com/isolate-a-process-with-no-container-like-docker

3. @liuggiowelcometothebundle.com

4. @liuggio Giulio De Donato

5. What is a
Container?
@liuggio Giulio De Donato

6. “I once heard that hypervisors
are the living proof of operating
system's incompetence”
-- Glauber Costa's - LinuxCon Europe 2012
@liuggio Giulio De Donato

7. ... containers ...
“I would love to say months,
but let's get realistic”
-- Glauber Costa's - LinuxCon Europe 2012
@liuggio Giulio De Donato

8. Is all about
ISOLATION
@liuggio Giulio De Donato

9. chroot
?
@liuggio Giulio De Donato

10. while true;
do mkdir x; cd x;
done
bomb() {
bomb | bomb &
}; bomb
Attacks
@liuggio Giulio De Donato

11. GOAL OF
TODAY:
http://9gag.com/gag/aGxbmGz
namespace cgroups ufs
@liuggio Giulio De Donato

12. LXC vs DOCKER
@liuggio Giulio De Donato

13. Let’s start with the first set of slides
Once upon a time ...
@liuggio Giulio De Donato

14. NAMESPACE
Linux 2.6.23 (released in late 2007)
6 namespaces
- mnt (mount points, filesystems)
- pid (processes)
- net (network stack)
- ipc (System V IPC)
- uts (hostname)
- user (UIDs)
Namespaces started in about
2002.
@liuggio Giulio De Donato

15. Namespaces processes API
consists of these 3 system calls:
● clone() - creates a new process and a new namespace; the
newly created process is attached to the new namespace
● unshare()–gets only a single parameter, flags. Does not create a
new process; creates a new namespace and attaches the calling
processto it.
● setns()- a new system call, for attaching the calling process to
an existing namespace;
@liuggio Giulio De Donato

16. DEMO
Namespace
https://gist.github.com/liuggio/
114f506fbe040ac93687dc797b923cbf
1
@liuggio Giulio De Donato

17. @liuggio Giulio De Donato

18. CGroups!
The cgroup (control groups) subsystem is a Resource Management and Resource
Accounting/Tracking solution, providing a generic process - grouping framework
It handles resources such as memory, cpu, network, and more;
mostly needed in both ends of the spectrum (servers and embedded).
∎ Development was started by engineers at Google in 2006 under the name "process containers”
∎ Merged into kernel 2.6.24 (2008).
∎ cgroup core has 3 maintainers, and each cgroup controller has its own maintainer (cpu memory io)
@liuggio Giulio De Donato

19. DEMO
CGROUPS
https://asciinema.org/a/7w13btk2uethz2e57lgpfz5ym
or https://goo.gl/NyPMFJ
3
@liuggio Giulio De Donato

20. THIS IS A TREE
@liuggio Giulio De Donato

21. THIS IS A TREE
@liuggio Giulio De Donato

22. WHAT IS IT?
@liuggio Giulio De Donato

23. DEMO
UFSapt-get install aufs-tools
https://asciinema.org/~liuggio
https://asciinema.org/a/41778
2
@liuggio Giulio De Donato

24. @liuggio Giulio De Donato

25. Union File System
PRO
- File level
- No caches
CONS
- Bad performance for big files
- Not in kernel
- Too much layers costs
● merge into a single directory 2 devices
● Combining a large, read-only file system with small write area (like livecd)
@liuggio Giulio De Donato

26. ZFS is a combination of a volume manager (like LVM) and a filesystem (like ext4, xfs, or btrfs).
ZFS one of the most beloved features of Solaris, universally coveted by every Linux sysadmin with a Solaris background.
● snapshots
● copy-on-write cloning
● continuous integrity checking against data corruption
● automatic repair
● efficient data compression
2016
@liuggio Giulio De Donato

27. UFS
CGROUPS
namespace
@liuggio Giulio De Donato

28. THANKS!
@liuggio Giulio De Donato

29. ∎ www.welcometothebundle.com/isolate-a-process-with-no-container-like-docker
∎ https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#namespaces
∎ https://www.opencontainers.org/news/faqs/who-will-be-initial-technical-leadership
∎ http://www.cyberciti.biz/faq/unix-linux-chroot-command-examples-usage-syntax/
∎ http://s0.cyberciti.org/uploads/faq/2013/01/bash-chroot-ls-demo.gif
∎ https://www.flockport.com/lxc-vs-docker/
∎ http://ramirose.wix.com/ramirosen
∎ https://lwn.net/Articles/532593/
∎ https://lwn.net/Articles/531114/
∎ https://lwn.net/Articles/531381/
∎ https://lwn.net/Articles/528078/
∎ https://docs.docker.com/engine/reference/run/
∎ http://www.netdevconf.org/1.1/proceedings/slides/rosen-namespaces-cgroups-lxc.pdf
∎ https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/
∎ https://skillsmatter.com/skillscasts/7101-building-containers-from-scratch-for-fun-and-profit
∎ https://docs.oracle.com/cd/E18752_01/html/817-5093/bkupsnapshot-9.html
∎ https://www.flickr.com/photos/15514374@N05/10164384915/in/photolist-guc8vM-eUsLmk-bUx1od-snDG6D-4EdN6w-dRNW5S-92a5Rc-bqLMQX-9W8h5y-b4nUUZ-qBTHgX-qP1gRX-
bjCEPC-9tmmnk-eiz69R-dUwHXM-ff6xuP-J1cvu-7FC9CK-5QNat5-sniS97-dmWZqi-9FJL3F-e5QKNc-oaepa3-dHcamQ-4EJPTP-eB42Pm-aywhxM-eSZ6Gv-jhYq8x-cXnWtd-6HXxUg-8ZKp87-
5BL32d-7g3EHP-4gc756-cBECqo-oBFK5Y-9fUMLY-e7z58s-oViSZU-pKrEsE-6J2D5b-6HXwrz-6HXxt8-9k3DeV-9k6CLy-qFGW5B-hrxHnf
∎ https://docs.docker.com/engine/userguide/storagedriver/device-mapper-driver/
∎ https://docs.docker.com/engine/userguide/storagedriver/zfs-driver/
∎ Presentation template by SlidesCarnival
CREDITS

30. FATTI UN
CONTAINER
TUTTO TUO!! @liuggio Giulio De Donato

31. @liuggio Giulio De Donato
Have you ever heard about this?
- What is
- Who
- Why