Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Dockersh and a brief intro to the docker internals

3,399 views

Published on

Dockersh is a new tool to give a login shell into per-user Docker containers. (https://github.com/Yelp/dockersh) This talk will be an illustrated tour of what dockersh does, and why it might be useful to you. During this journey we’ll dive into the Go programming language, + libcontainer (the technologies Docker is built on) in addition to the facilities Docker uses in the kernel (Namespaces, Cgroups and Capabilities), how these work, and how normal mortals can (ab)use them for fun and profit

Published in: Internet

Dockersh and a brief intro to the docker internals

  1. 1. dockersh Tomas Doran @bobtfish 2014-­‐10-­‐14
  2. 2. 2
  3. 3. Shared (personal) bounce host • Multiple users • Persistent ssh sessions • ‘Playground’ • Fair split of resources? • Isolation? Security? 3
  4. 4. VMs are expensive • 12 tmux sessions vs • 12 Virtual machines 4
  5. 5. Containers are cheap • Container as lightweight VM • One persistent container per user • /home/myuser from host • /etc/passwd from host • Let the user supply own container? • sshd per container = 1 port per user 5
  6. 6. Containers are cheap • Container as lightweight VM • One persistent container per user • /home/myuser from host • /etc/passwd from host • Let the user supply own container? • sshd per container = 1 port per user 6
  7. 7. Containers are cheap • One persistent container per user • Even let the user supply the container • sshd per container = 1 port per user • Container as lightweight VM? • Need to edit ~/.ssh/config 7
  8. 8. Can we do better? 8
  9. 9. nsenter • Exec a process in an existing namespace • Debug running containers as root 9
  10. 10. nsenter • Exec a process in an existing namespace • Debug running containers as root 10
  11. 11. dockersh.sh 11
  12. 12. 12
  13. 13. What’s a Docker container? cat /var/lib/docker/execdriver/native/ d910d20082fed3763b377a2d46e30da5def9fdd7863a0642ea154er.json | jq . 13
  14. 14. 14
  15. 15. Capabilities • Pluggable in Docker 1.2.0 • —drop_cap • Scary default capabilities: • SUID • SGID • MKNOD 15
  16. 16. cgroups • Memory groups • CPU groups • IO groups 16
  17. 17. /sys/fs/cgroup 17
  18. 18. /sys/fs/cgroup 18
  19. 19. /sys/fs/cgroup 19
  20. 20. /sys/fs/cgroup 20
  21. 21. Reuse capabilities 21
  22. 22. Namespaces • Per container separation • UTS - hostnames • IPC - sysvipc • PID - processes • NET - network 22
  23. 23. PID Namespaces From inside 23
  24. 24. PID Namespaces From outside 24
  25. 25. NET Namespace • Per container IP stack • Bandwidth limits per container 25
  26. 26. Reuse namespaces 26
  27. 27. Todo • Ptys • scp • Better agent forwarding 27
  28. 28. Thanks! • We’re hiring! http://www.yelp.co.uk/careers?jvi=ogVTXfwL • https://github.com/Yelp/dockersh • http://engineeringblog.yelp.com/2014/08/ hack209-dockersh.html 28

×