Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Containers: What are they, Really?

134 views

Published on

Inspired by Liz Rice, I'll attempt to create a container runtime of myself in Go while eventually explaining linux containerization primitives and discussing the ecosystem.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Containers: What are they, Really?

  1. 1. ● ● ●
  2. 2. + run input commands with arguments ++ add hostname limitations +++ add process ID limitations ++++ add mount/filesystem limitations
  3. 3. func main() { switch os.Args[1] { case "run": run() default: panic("what?") } } func run() { fmt.Printf("running %vn", os.Args[2:]) cmd := exec.Command(os.Args[2], os.Args[3:]...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout must(cmd.Run()) } func must(err error) { if err != nil { panic(err) } } ---- take inputs and executes them ---- panics with non-”run” command
  4. 4. 🎉 And it successfully echoes “Hello”!
  5. 5. ----- opens shell to “container process” ------ can check hostname ------ can CHANGE hostname!!!
  6. 6. func run() { fmt.Pintf("running %vn", os.Args[2:]) cmd := exec.Command(os.Args[2], os.Args[3:]...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout cmd.SysProcAttr = &syscall.SysProcAttr{ Cloneflags: syscall.CLONE_NEWUTS, } must(cmd.Run()) } cmd will be executed with linux flag for calling a child process, which runs in a new UTS namespace
  7. 7. can see all processes on the host machine
  8. 8. func run() { fmt.Printf("running %vn", os.Args[2:]) cmd := exec.Command(os.Args[2], os.Args[3:]...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout cmd.SysProcAttr = &syscall.SysProcAttr{ Cloneflags: syscall.CLONE_NEWUTS | syscall.CLONE_NEWPID, } must(cmd.Run()) } why can we still the parent namespace? ----- execute cmd in new PID and new UTS namespace
  9. 9. func run() { cmd := exec.Command("/proc/self/exe", append([]string{"child"}, os.Args[2:]...)...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout cmd.SysProcAttr = &syscall.SysProcAttr{ Cloneflags: syscall.CLONE_NEWUTS | syscall.CLONE_NEWPID, } must(cmd.Run()) } func child() { fmt.Printf("running %v as pid %vn", os.Args[2:], os.Getpid()) cmd := exec.Command(os.Args[2], os.Args[3:]...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout must(cmd.Run()) } ----- let’s try this again but fork off a child process
  10. 10. ----- child process has a PID of one! can still see processes on host machine ‘ps’ is looking in the /proc directory
  11. 11. func run() { md := exec.Command("/proc/self/exe", append([]string{"child"}, os.Args[2:]...)...) // link to currently running process cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout cmd.SysProcAttr = &syscall.SysProcAttr{ Cloneflags: syscall.CLONE_NEWUTS | syscall.CLONE_NEWPID | syscall.CLONE_NEWNS, } must(cmd.Run()) } ------ NEWNS flag for mount namespace is creating a “mount table” for the process, allowing it to have it’s own filesystem
  12. 12. func child() { fmt.Printf("running %v as pid%vn", os.Args[2:], os.Getpid()) cmd := exec.Command(os.Args[2], os.Args[3:]...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout must(syscall.Chroot("/home/rootfs")) must(os.Chdir("/")) must(syscall.Mount("proc", "proc", "proc", 0, "")) must(cmd.Run()) } TODO Need a new root filsystem w/ empty /proc directory
  13. 13. ● ✔ ● ✔ ● ● ✔ ● ●
  14. 14. ● ● ● ●
  15. 15. ● ● ●
  16. 16. ● ● ●
  17. 17. Source: https://docs.docker.com/engine/understanding-docker/ https://coreos.com/rkt/docs/latest/rkt-vs-other-projects.html#rkt-vs-docker
  18. 18. docker ecosystem
  19. 19. Source: https://github.com/nkhare/container-orchestration/blob/master/kubernetes/README.md
  20. 20. GKE DigitalOcean k8s
  21. 21. CNCF (cloud native computing foundation)
  22. 22. Questions?
  23. 23. ● ● , Julien Friedman ● My demo code - @si74 on github ● An overview of the docker ecosystem

×