Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Containers from scratch


Published on

Containers from scratch by Liz Rice

What is a container? Is it really a “lightweight VM”? What happens when you type in "docker run"? In this talk you'll see exactly what a container is, as Liz builds one from scratch in a few lines of Go code. You'll learn what's happening under the covers when you start a container, and understand how namespaces, controls and chroot each contribute to the making of a container, We'll also cover what it means to run a privileged or non-privileged container.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Containers from scratch

  1. 1. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. @LizRice | @AquaSecTeam Containers from scratch Liz Rice Aqua Security
  2. 2. docker run <image>
  3. 3. 3@lizrice Build my own container in Go ■ Namespaces ■ Chroot ■ Cgroups
  4. 4. 4@lizrice Namespaces ■ What you can see ■ Created with syscalls ○ Unix Timesharing System ○ Process IDs ○ Mounts ○ Network ○ User IDs ○ InterProcess Comms
  5. 5. 5@lizrice CGroups ■ What you can use ■ Filesystem interface ○ Memory ○ CPU ○ I/O ○ Process numbers ○ ...
  6. 6. :(){ :|: & };:
  7. 7. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. @LizRice | @AquaSecTeam @LizRice | @AquaSecTeam