Lets isolate a process with no container like docker

1. Let’s isolate a process with no container.

2. Let’s isolate a process with no container. Readable example with code and explanation: welcometothebundle.com/isolate-a-process-with-no-container-like-docker

3. @liuggiowelcometothebundle.com

4. @liuggio Giulio De Donato

5. What is a Container? @liuggio Giulio De Donato

6. “I once heard that hypervisors are the living proof of operating system's incompetence” -- Glauber Costa's - LinuxCon Europe 2012 @liuggio Giulio De Donato

7. ... containers ... “I would love to say months, but let's get realistic” -- Glauber Costa's - LinuxCon Europe 2012 @liuggio Giulio De Donato

8. Is all about ISOLATION @liuggio Giulio De Donato

9. chroot ? @liuggio Giulio De Donato

10. while true; do mkdir x; cd x; done bomb() { bomb | bomb & }; bomb Attacks @liuggio Giulio De Donato

11. GOAL OF TODAY: http://9gag.com/gag/aGxbmGz namespace cgroups ufs @liuggio Giulio De Donato

12. LXC vs DOCKER @liuggio Giulio De Donato

13. Let’s start with the first set of slides Once upon a time ... @liuggio Giulio De Donato

14. NAMESPACE Linux 2.6.23 (released in late 2007) 6 namespaces - mnt (mount points, filesystems) - pid (processes) - net (network stack) - ipc (System V IPC) - uts (hostname) - user (UIDs) Namespaces started in about 2002. @liuggio Giulio De Donato

15. Namespaces processes API consists of these 3 system calls: ● clone() - creates a new process and a new namespace; the newly created process is attached to the new namespace ● unshare()–gets only a single parameter, flags. Does not create a new process; creates a new namespace and attaches the calling processto it. ● setns()- a new system call, for attaching the calling process to an existing namespace; @liuggio Giulio De Donato

16. DEMO Namespace https://gist.github.com/liuggio/ 114f506fbe040ac93687dc797b923cbf 1 @liuggio Giulio De Donato

18. CGroups! The cgroup (control groups) subsystem is a Resource Management and Resource Accounting/Tracking solution, providing a generic process - grouping framework It handles resources such as memory, cpu, network, and more; mostly needed in both ends of the spectrum (servers and embedded). ∎ Development was started by engineers at Google in 2006 under the name "process containers” ∎ Merged into kernel 2.6.24 (2008). ∎ cgroup core has 3 maintainers, and each cgroup controller has its own maintainer (cpu memory io) @liuggio Giulio De Donato

19. DEMO CGROUPS https://asciinema.org/a/7w13btk2uethz2e57lgpfz5ym or https://goo.gl/NyPMFJ 3 @liuggio Giulio De Donato

20. THIS IS A TREE @liuggio Giulio De Donato

21. THIS IS A TREE @liuggio Giulio De Donato

22. WHAT IS IT? @liuggio Giulio De Donato

23. DEMO UFSapt-get install aufs-tools https://asciinema.org/~liuggio https://asciinema.org/a/41778 2 @liuggio Giulio De Donato

25. Union File System PRO - File level - No caches CONS - Bad performance for big files - Not in kernel - Too much layers costs ● merge into a single directory 2 devices ● Combining a large, read-only file system with small write area (like livecd) @liuggio Giulio De Donato

26. ZFS is a combination of a volume manager (like LVM) and a filesystem (like ext4, xfs, or btrfs). ZFS one of the most beloved features of Solaris, universally coveted by every Linux sysadmin with a Solaris background. ● snapshots ● copy-on-write cloning ● continuous integrity checking against data corruption ● automatic repair ● efficient data compression 2016 @liuggio Giulio De Donato

27. UFS CGROUPS namespace @liuggio Giulio De Donato

28. THANKS! @liuggio Giulio De Donato

29. ∎ www.welcometothebundle.com/isolate-a-process-with-no-container-like-docker ∎ https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#namespaces ∎ https://www.opencontainers.org/news/faqs/who-will-be-initial-technical-leadership ∎ http://www.cyberciti.biz/faq/unix-linux-chroot-command-examples-usage-syntax/ ∎ http://s0.cyberciti.org/uploads/faq/2013/01/bash-chroot-ls-demo.gif ∎ https://www.flockport.com/lxc-vs-docker/ ∎ http://ramirose.wix.com/ramirosen ∎ https://lwn.net/Articles/532593/ ∎ https://lwn.net/Articles/531114/ ∎ https://lwn.net/Articles/531381/ ∎ https://lwn.net/Articles/528078/ ∎ https://docs.docker.com/engine/reference/run/ ∎ http://www.netdevconf.org/1.1/proceedings/slides/rosen-namespaces-cgroups-lxc.pdf ∎ https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/ ∎ https://skillsmatter.com/skillscasts/7101-building-containers-from-scratch-for-fun-and-profit ∎ https://docs.oracle.com/cd/E18752_01/html/817-5093/bkupsnapshot-9.html ∎ https://www.flickr.com/photos/15514374@N05/10164384915/in/photolist-guc8vM-eUsLmk-bUx1od-snDG6D-4EdN6w-dRNW5S-92a5Rc-bqLMQX-9W8h5y-b4nUUZ-qBTHgX-qP1gRX- bjCEPC-9tmmnk-eiz69R-dUwHXM-ff6xuP-J1cvu-7FC9CK-5QNat5-sniS97-dmWZqi-9FJL3F-e5QKNc-oaepa3-dHcamQ-4EJPTP-eB42Pm-aywhxM-eSZ6Gv-jhYq8x-cXnWtd-6HXxUg-8ZKp87- 5BL32d-7g3EHP-4gc756-cBECqo-oBFK5Y-9fUMLY-e7z58s-oViSZU-pKrEsE-6J2D5b-6HXwrz-6HXxt8-9k3DeV-9k6CLy-qFGW5B-hrxHnf ∎ https://docs.docker.com/engine/userguide/storagedriver/device-mapper-driver/ ∎ https://docs.docker.com/engine/userguide/storagedriver/zfs-driver/ ∎ Presentation template by SlidesCarnival CREDITS

30. FATTI UN CONTAINER TUTTO TUO!! @liuggio Giulio De Donato

31. @liuggio Giulio De Donato Have you ever heard about this? - What is - Who - Why