A look at containerization from chroot to today

1. Welcome to CIALUG!

2. Linux Container Showdown
Andrew Denner
Central Iowa Linux Users Group
November Meeting

3. Welcome to
LUG
Meetings are on the third Wednesday
of every month
We have a website!
http://www.cialug.org
List Server
IRC/Slack

4. Linux News Roundup

5. About our presenter
• Some say that he has no face, all we know
is that he is the presenter…

6. About me (in all seriousness)
• I write code, sometimes have
to dabble in devops and by
night I do linuxy things
• These statements are my own,
not those of anyone else
including my employer and the
commissioner of baseball
• Twitter: adenner
• Slides will be posted to
http://denner.co

7. On with the show
The Linux Container showdown

8. Concepts
Virtual machine (VM)
Container

13. Early History

14. chroot
• 1979 chroot on version 7
• “A chroot on Unix operating systems is
an operation that changes the apparent
root directory for the current running
process and its children. A program that
is run in such a modified environment
cannot name files outside the
designated directory tree.” –Wikipedia
• It isn’t perfect

15. Demo
• J=$HOME/jail
• mkdir -p $J
• mkdir -p $J/{bin,lib64,lib}
• mkdir $J/lib/x86_64-linux-gnu/
• cd $J
• cp -v /bin/{bash,ls} $J/bin
• ldd /bin/bash
• list="$(ldd /bin/bash | egrep -o
'/lib.*.[0-9]')"; for i in $list; do
cp -v "$i" "${J}${i}"; done
• list="$(ldd /bin/ls | egrep -o
'/lib.*.[0-9]')"; for i in $list; do
cp -v "$i" "${J}${i}"; done
• chroot $J /bin/bash
• ls /

16. Demo

17. BSD Jails
First in 1999 Free BSD by Poul-
Henning Kamp after use in a small
hosting company
Achieved three
goals:
Virtualization
Security
Ease of Delagation
Each jail is custom rolled/built
Single point of failure

18. Solaris Zones
First relased 2004 in build
51 beta of Solaris 10
Can control what resources
each zone gets and also can
just give a fair share
Still present in Illumonos
(Open Solaris) and Solaris

19. openVZ
• Open Virtuozzo
• Soft memory allocation, can be shared if
not being used
• Old versions used chroot based disk
isolation. Current version lets each
container have it’s own file system
• Requires Custom Kernel providing:
• Virtualization
• Isolation
• Resource Management
• checkpointing

20. LXC
• Uses Linux cgroups and other namespace
isolations
• Much like jails
• Works with the vanilla kernel unlike
openVZ
• Orriginally docker used

21. Modern history

22. Docker
• Opensourced in 2013
• Building on the previous ideas
• Image ecosystem
• More ephemeral and portable across
machines
• Versioning
• Overlayfs
• Downsides: still single point of failure
• Dockerd root—security concerns

27. Docker File

29. Rootless Docker
• Thanks to Akihiro Suda of NTT Corp for all his work
• See
https://www.slideshare.net/AkihiroSuda/dockercon-
2019-hardening-docker-daemon-with-rootless-mode for
deep dive
• Works as sub-user and sub-group ids
• Overlay fs doesn’t work yet
• Can’t use protected ports
• https://www.katacoda.com/courses/docker/rootless

30. CNCF
• In the beginning there was docker…
• Then came others and the CNCF is the vender nuteral home for the
plumbing that runs containers
• It is a part of the linux foundation
• Think of like apache but for containerization
• Home to
• Kubernetes
• Prometheus
• Envoy
• Containerd
• Et. al.

32. Pouch
• https://pouchcontainer.io
• From Alibaba Group
• Never had heard of them before
• Distributes images via Dragonfly p2p
• Rich container mode more hooks and magic available

33. Kata
Containers
• Kata Containers is an open source project
and community working to build a standard
implementation of lightweight Virtual
Machines (VMs) that feel and perform like
containers, but provide the workload
isolation and security advantages of VMs.
• https://katacontainers.io

35. Moby
https://mobyproject.org
An open framework to
assemble specialized container
systems without reinventing
the wheel.
Not for mere mortals

37. Docker
Compose
• Yaml tool for defining and running multiple
docker applications at the same time
• Useful for:
• dev environments
• Automated test environments
• Single host deployments

39. Docker Swarm
Joins a Pool of docker hosts into one
virtual host
YAML based definitions
Networking via an overlay network
Easier to set up than a K8 cluster

40. VHS vs Betamax

41. Kubernetes
• Originally designed by Google engineers –Borg
• Orchestrate containers across multiple hosts.
• Make better use of hardware to maximize
resources needed to run your enterprise apps.
• Control and automate application deployments and
updates.
• Mount and add storage to run stateful apps.
• Scale containerized applications and their
resources on the fly.
• Declaratively manage services, which guarantees
the deployed applications are always running how
you deployed them.
• Health-check and self-heal your apps with
autoplacement, autorestart, autoreplication, and
autoscaling.

43. K3s
• Kubernetes abrieated is K8… 5 less than
that is k3s
• K8 but only the good parts all in less than
40mb
• Still rather experimental
• Got rid of Legacy alpha and non-default
code removed
• Removed most in-tree plugins
• Use sqlite 3 rather than etcd by default
• Simple launcher

44. K3s cont.
• Minimal requirements, leverages
• containerd
• Flannel
• CoreDNS
• CNI
• Host utilities (iptables, socat, etc)
• Install from
https://github.com/rancher/k3s
• Demo:
https://asciinema.org/a/k6lHGEZ65
le2rxm5giAxJOR7C

45. Podman
• New in Centos 8
• See presentation last month
• Biggest thing to note is no need for the
docker damon
• Can handle Rootless same as docker, with
same shortcomings
• https://asciinema.org/a/oDxbleQ4q0ww6
WpS46JUy1dt0

47. Buildah
• Container management and build program
• Can build and use CNF protable images
without a local docker
• Better control of image layers
• Ability to build images via bash
• As well as building dockerfile images
• Demo:
https://asciinema.org/a/peZtZjTkeZHtUm
AN5AdnWPp2i
• https://asciinema.org/a/V4NZWIdV83CcOP
DW4favh4vi3

48. Example script