SlideShare a Scribd company logo

Containers from Scratch: what are they made from?

G
Giri Kuncoro

Talk from Docker meetup Jakarta. Presented and demoed various Linux kernel features that enable container runtime, i.e. chroot, namespaces, cgroups, capabilities.

Technology
1 of 35
Download to read offline
Containers from Scratch: what are they made from? GIRI KUNCORO
Giri Kuncoro Senior System Engineer @GO-PAY Core Infrastructure github.com/girikuncoro
Build Your Own Smartphone http://www.instructables.com/id/Build-Your-Own-Smartphone
Raspberry Pi A+ 256 MB Adafruit FONA - Mini GSM Breakout GSM Antenna Electret Microphone 1200 mAh Lithium Ion Battery Ingredients
Today Build a container without a container runtime, i.e. Docker, lxc, rkt
Ingredient #1: Container Image TL;DR: nothing but tarball ● Application metadata ● Filesystem
Ingredient #1: Container Image Container filesystem: looks like an OS; but no kernel, no init system
Ingredient #1: Container Image Build root: http://www.buildroot.org/ Debootstrap: https://wiki.debian.org/Debootstrap YUM / DNF Gentoo: https://www.gentoo.org/downloads/ Buildah: https://github.com/projectatomic/buildah
$ mkdir rootfs $ sudo dnf -y --installroot=$PWD/rootfs --releasever=24 install @development-tools procps-ng python3 which iproute net-tools $ ls rootfs
Ingredient #2: chroot Execute a process in our container filesystem chroot(2): http://man7.org/linux/man-pages/man2/chroot.2.html
$ sudo chroot rootfs /bin/bash
Ingredient #3: namespaces Limit the “view” of a container: Process namespace (pid) Network namespace (net) Mount namespace (mnt) https://en.wikipedia.org/wiki/Linux_namespaces
Ingredient #3: namespaces chroot of other systems: clone(2): http://man7.org/linux/man-pages/man2/clone.2.html unshare(2): http://man7.org/linux/man-pages/man2/unshare.2.html Process trees Network interfaces Mount volumes
$ sudo unshare -p -f --mount-proc=$PWD/rootfs/proc chroot rootfs /bin/bash
Ingredient #4: enter namespaces Namespaces are composable Example: Kubernetes pod setns(2): http://man7.org/linux/man-pages/man2/setns.2.html k8s pod di r p o s , di r c o t sa t o k, sa un
# PID=321 # ls /proc/$PID/ns cgroup ipc mnt net pid user uts # nsenter --pid=/proc/$PID/ns/pid --mnt=/proc/$PID/ns/mnt chroot $PWD/rootfs /bin/bash
Ingredient #5: volume mounts Inject files into our chroot $ docker run -d --name=nginxtest -v nginx-vol:/usr/share/nginx/html nginx:latest
apiVersion: v1 kind: Pod metadata: name: test-pd spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume volumes: - name: test-volume hostPath: path: /data
# nsenter --mount=/proc/$PID/ns/mnt mount --bind -o ro $PWD/readonlyfiles $PWD/rootfs/var/readonlyfiles
Ingredient #6: cgroups Restrict resources for processes
# ls /sys/fs/cgroup # mkdir /sys/fs/cgroup/memory/demo # echo $$ > /sys/fs/cgroup/memory/demo/tasks # cat /proc/self/cgroup
# CGROUP=/sys/fs/cgroup/memory/demo # echo “100000000” > $CGROUP/memory.limit_in_bytes # echo “0” > $CGROUP/memory.swappiness # python3 hungry.py
Ingredient #7: cgroup namespace Q: How do you restrict a process from reassigning cgroup? A: More namespaces!
# unshare -C # cat /proc/self/cgroup
# (how to remove cgroups: reassign) # echo $$ > /sys/fs/cgroup/memory/tasks # rmdir /sys/fs/cgroup/memory/demo
Ingredient #8: capabilities “Docker is about running random code downloaded from Internet and running it as root” - Dan Walsh (Red Hat)
Ingredient #8: capabilities SELinux, seccomp, AppArmor should’ve been covered Show Linux capabilities instead http://man7.org/linux/man-pages/man7/capabilities.7.html
$ go build -o /tmp/listen listen.go $ sudo setcap cap_net_bind_service=+ep /tmp/listen $ getcap /tmp/listen
$ sudo capsh --print $ sudo capsh --drop=cap_chown --
Ingredient #9: network namespace Huge topic, will do simple demo for now For the impatient, probably next talk: https://github.com/girikuncoro/netns-demo
$ sudo unshare -n chroot rootfs # ip addr # ip link set dev lo up
$ sudo ip link add veth0 type veth peer name veth1 $ sudo ip link set veth1 netns $PID $ sudo ip address add 10.1.1.2/24 dev veth0 $ sudo ip link set dev veth0 up # (inside namespace) # ip address add 10.1.1.3/24 dev veth1 # ip link set dev veth1 up
Conclusion Containers are a combination between Linux kernel features Docker, rkt, lxc (container runtime) are just opinionated wrapper around these
References Containers from scratch, Eric Chiang https://ericchiang.github.io/post/containers-from-scratch/ Building minimal containers, Brian Redbeard https://github.com/brianredbeard/minimal_containers Namespaces in operation, Michael Kerrisk https://lwn.net/Articles/531114/ cgroups v1, Paul Menage https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt Bocker, Docker implemented in 100 lines of bash https://github.com/p8952/bocker
Thanks! giri.kuncoro@go-jek.com twitter.com/girikuncoro github.com/girikuncoro Our team is hiring, come talk to us or open www.go-jek.com/careers

Recommended

Pimp my dev box (Friday Training at Itnig)
Pimp my dev box (Friday Training at Itnig)Pimp my dev box (Friday Training at Itnig)
Pimp my dev box (Friday Training at Itnig)itnig
 
Using python and docker for data science
Using python and docker for data scienceUsing python and docker for data science
Using python and docker for data scienceCalvin Giles
 
Using docker for data science - part 2
Using docker for data science - part 2Using docker for data science - part 2
Using docker for data science - part 2Calvin Giles
 
Docker perl build
Docker perl buildDocker perl build
Docker perl buildWorkhorse Computing
 
Git, Jenkins & Chuck
Git, Jenkins & ChuckGit, Jenkins & Chuck
Git, Jenkins & ChuckJuraj Michálek
 
Qt native built for raspberry zero
Qt native built for raspberry zeroQt native built for raspberry zero
Qt native built for raspberry zeroSoheilSabzevari2
 
Fat Jar Smackdown
Fat Jar SmackdownFat Jar Smackdown
Fat Jar SmackdownRed Hat Developers
 
Puppet without Root - PuppetConf 2013
Puppet without Root - PuppetConf 2013Puppet without Root - PuppetConf 2013
Puppet without Root - PuppetConf 2013Puppet
 

Recommended

Pimp my dev box (Friday Training at Itnig)
Pimp my dev box (Friday Training at Itnig)Pimp my dev box (Friday Training at Itnig)
Pimp my dev box (Friday Training at Itnig)itnig
 
Using python and docker for data science
Using python and docker for data scienceUsing python and docker for data science
Using python and docker for data scienceCalvin Giles
 
Using docker for data science - part 2
Using docker for data science - part 2Using docker for data science - part 2
Using docker for data science - part 2Calvin Giles
 
Docker perl build
Docker perl buildDocker perl build
Docker perl buildWorkhorse Computing
 
Git, Jenkins & Chuck
Git, Jenkins & ChuckGit, Jenkins & Chuck
Git, Jenkins & ChuckJuraj Michálek
 
Qt native built for raspberry zero
Qt native built for raspberry zeroQt native built for raspberry zero
Qt native built for raspberry zeroSoheilSabzevari2
 
Fat Jar Smackdown
Fat Jar SmackdownFat Jar Smackdown
Fat Jar SmackdownRed Hat Developers
 
Puppet without Root - PuppetConf 2013
Puppet without Root - PuppetConf 2013Puppet without Root - PuppetConf 2013
Puppet without Root - PuppetConf 2013Puppet
 
Screenshot as a service
Screenshot as a serviceScreenshot as a service
Screenshot as a serviceKAI CHU CHUNG
 
Docker command
Docker commandDocker command
Docker commandEric Ahn
 
JavaScript in the Real World
JavaScript in the Real WorldJavaScript in the Real World
JavaScript in the Real WorldAndrew Nesbitt
 
2012 coscup - Build your PHP application on Heroku
2012 coscup - Build your PHP application on Heroku2012 coscup - Build your PHP application on Heroku
2012 coscup - Build your PHP application on Herokuronnywang_tw
 
Shared Object images in Docker: What you need is what you want.
Shared Object images in Docker: What you need is what you want.Shared Object images in Docker: What you need is what you want.
Shared Object images in Docker: What you need is what you want.Workhorse Computing
 
Magical WordPress Development with Vagrant
Magical WordPress Development with VagrantMagical WordPress Development with Vagrant
Magical WordPress Development with VagrantChris Olbekson
 
Complementing Docker with Puppet
Complementing Docker with PuppetComplementing Docker with Puppet
Complementing Docker with PuppetDocker, Inc.
 
Tool it Up! - Session #1 - Xhprof
Tool it Up! - Session #1 - XhprofTool it Up! - Session #1 - Xhprof
Tool it Up! - Session #1 - Xhproftoolitup
 
Docker e postgresql
Docker e postgresqlDocker e postgresql
Docker e postgresqlFernando Ike
 
Docker to the Rescue of an Ops Team
Docker to the Rescue of an Ops TeamDocker to the Rescue of an Ops Team
Docker to the Rescue of an Ops TeamRachid Zarouali
 
JavaScript all the things! - FullStack 2017
JavaScript all the things! - FullStack 2017JavaScript all the things! - FullStack 2017
JavaScript all the things! - FullStack 2017Jan Jongboom
 
Hubot: a look inside our robot friend
Hubot: a look inside our robot friendHubot: a look inside our robot friend
Hubot: a look inside our robot friendajacksified
 
Jetson Nano x TensorFlowで始めるモバイルAI画像認識
Jetson Nano x TensorFlowで始めるモバイルAI画像認識Jetson Nano x TensorFlowで始めるモバイルAI画像認識
Jetson Nano x TensorFlowで始めるモバイルAI画像認識karaage0703
 
Beyond Golden Containers: Complementing Docker with Puppet
Beyond Golden Containers: Complementing Docker with PuppetBeyond Golden Containers: Complementing Docker with Puppet
Beyond Golden Containers: Complementing Docker with Puppetlutter
 
Building a Docker v1.12 Swarm cluster on ARM
Building a Docker v1.12 Swarm cluster on ARMBuilding a Docker v1.12 Swarm cluster on ARM
Building a Docker v1.12 Swarm cluster on ARMTeam Hypriot
 
FPM at the Ruby Drink-up of Sophia, September 2011
FPM at the Ruby Drink-up of Sophia, September 2011FPM at the Ruby Drink-up of Sophia, September 2011
FPM at the Ruby Drink-up of Sophia, September 2011rivierarb
 
Introduction to Resque
Introduction to ResqueIntroduction to Resque
Introduction to Resquekoshigoe
 
Jenkins and Docker for native Linux packages
Jenkins and Docker for native Linux packagesJenkins and Docker for native Linux packages
Jenkins and Docker for native Linux packagesDaniel Paulus
 
Py conkr 20150829_docker-python
Py conkr 20150829_docker-pythonPy conkr 20150829_docker-python
Py conkr 20150829_docker-pythonEric Ahn
 
More than Applications: (Ab)using Docker to Improve the Portability of Everyt...
More than Applications: (Ab)using Docker to Improve the Portability of Everyt...More than Applications: (Ab)using Docker to Improve the Portability of Everyt...
More than Applications: (Ab)using Docker to Improve the Portability of Everyt...Dexter Horthy
 
Docker as an every day work tool
Docker as an every day work toolDocker as an every day work tool
Docker as an every day work toolPrzemyslaw Koltermann
 
Check the version with fixes. Link in description
Check the version with fixes. Link in descriptionCheck the version with fixes. Link in description
Check the version with fixes. Link in descriptionPrzemyslaw Koltermann
 

More Related Content

What's hot

Screenshot as a service
Screenshot as a serviceScreenshot as a service
Screenshot as a serviceKAI CHU CHUNG
 
Docker command
Docker commandDocker command
Docker commandEric Ahn
 
JavaScript in the Real World
JavaScript in the Real WorldJavaScript in the Real World
JavaScript in the Real WorldAndrew Nesbitt
 
2012 coscup - Build your PHP application on Heroku
2012 coscup - Build your PHP application on Heroku2012 coscup - Build your PHP application on Heroku
2012 coscup - Build your PHP application on Herokuronnywang_tw
 
Shared Object images in Docker: What you need is what you want.
Shared Object images in Docker: What you need is what you want.Shared Object images in Docker: What you need is what you want.
Shared Object images in Docker: What you need is what you want.Workhorse Computing
 
Magical WordPress Development with Vagrant
Magical WordPress Development with VagrantMagical WordPress Development with Vagrant
Magical WordPress Development with VagrantChris Olbekson
 
Complementing Docker with Puppet
Complementing Docker with PuppetComplementing Docker with Puppet
Complementing Docker with PuppetDocker, Inc.
 
Tool it Up! - Session #1 - Xhprof
Tool it Up! - Session #1 - XhprofTool it Up! - Session #1 - Xhprof
Tool it Up! - Session #1 - Xhproftoolitup
 
Docker e postgresql
Docker e postgresqlDocker e postgresql
Docker e postgresqlFernando Ike
 
Docker to the Rescue of an Ops Team
Docker to the Rescue of an Ops TeamDocker to the Rescue of an Ops Team
Docker to the Rescue of an Ops TeamRachid Zarouali
 
JavaScript all the things! - FullStack 2017
JavaScript all the things! - FullStack 2017JavaScript all the things! - FullStack 2017
JavaScript all the things! - FullStack 2017Jan Jongboom
 
Hubot: a look inside our robot friend
Hubot: a look inside our robot friendHubot: a look inside our robot friend
Hubot: a look inside our robot friendajacksified
 
Jetson Nano x TensorFlowで始めるモバイルAI画像認識
Jetson Nano x TensorFlowで始めるモバイルAI画像認識Jetson Nano x TensorFlowで始めるモバイルAI画像認識
Jetson Nano x TensorFlowで始めるモバイルAI画像認識karaage0703
 
Beyond Golden Containers: Complementing Docker with Puppet
Beyond Golden Containers: Complementing Docker with PuppetBeyond Golden Containers: Complementing Docker with Puppet
Beyond Golden Containers: Complementing Docker with Puppetlutter
 
Building a Docker v1.12 Swarm cluster on ARM
Building a Docker v1.12 Swarm cluster on ARMBuilding a Docker v1.12 Swarm cluster on ARM
Building a Docker v1.12 Swarm cluster on ARMTeam Hypriot
 
FPM at the Ruby Drink-up of Sophia, September 2011
FPM at the Ruby Drink-up of Sophia, September 2011FPM at the Ruby Drink-up of Sophia, September 2011
FPM at the Ruby Drink-up of Sophia, September 2011rivierarb
 
Introduction to Resque
Introduction to ResqueIntroduction to Resque
Introduction to Resquekoshigoe
 
Jenkins and Docker for native Linux packages
Jenkins and Docker for native Linux packagesJenkins and Docker for native Linux packages
Jenkins and Docker for native Linux packagesDaniel Paulus
 
Py conkr 20150829_docker-python
Py conkr 20150829_docker-pythonPy conkr 20150829_docker-python
Py conkr 20150829_docker-pythonEric Ahn
 
More than Applications: (Ab)using Docker to Improve the Portability of Everyt...
More than Applications: (Ab)using Docker to Improve the Portability of Everyt...More than Applications: (Ab)using Docker to Improve the Portability of Everyt...
More than Applications: (Ab)using Docker to Improve the Portability of Everyt...Dexter Horthy
 

What's hot (20)

Screenshot as a service
Screenshot as a serviceScreenshot as a service
Screenshot as a service
 
Docker command
Docker commandDocker command
Docker command
 
JavaScript in the Real World
JavaScript in the Real WorldJavaScript in the Real World
JavaScript in the Real World
 
2012 coscup - Build your PHP application on Heroku
2012 coscup - Build your PHP application on Heroku2012 coscup - Build your PHP application on Heroku
2012 coscup - Build your PHP application on Heroku
 
Shared Object images in Docker: What you need is what you want.
Shared Object images in Docker: What you need is what you want.Shared Object images in Docker: What you need is what you want.
Shared Object images in Docker: What you need is what you want.
 
Magical WordPress Development with Vagrant
Magical WordPress Development with VagrantMagical WordPress Development with Vagrant
Magical WordPress Development with Vagrant
 
Complementing Docker with Puppet
Complementing Docker with PuppetComplementing Docker with Puppet
Complementing Docker with Puppet
 
Tool it Up! - Session #1 - Xhprof
Tool it Up! - Session #1 - XhprofTool it Up! - Session #1 - Xhprof
Tool it Up! - Session #1 - Xhprof
 
Docker e postgresql
Docker e postgresqlDocker e postgresql
Docker e postgresql
 
Docker to the Rescue of an Ops Team
Docker to the Rescue of an Ops TeamDocker to the Rescue of an Ops Team
Docker to the Rescue of an Ops Team
 
JavaScript all the things! - FullStack 2017
JavaScript all the things! - FullStack 2017JavaScript all the things! - FullStack 2017
JavaScript all the things! - FullStack 2017
 
Hubot: a look inside our robot friend
Hubot: a look inside our robot friendHubot: a look inside our robot friend
Hubot: a look inside our robot friend
 
Jetson Nano x TensorFlowで始めるモバイルAI画像認識
Jetson Nano x TensorFlowで始めるモバイルAI画像認識Jetson Nano x TensorFlowで始めるモバイルAI画像認識
Jetson Nano x TensorFlowで始めるモバイルAI画像認識
 
Beyond Golden Containers: Complementing Docker with Puppet
Beyond Golden Containers: Complementing Docker with PuppetBeyond Golden Containers: Complementing Docker with Puppet
Beyond Golden Containers: Complementing Docker with Puppet
 
Building a Docker v1.12 Swarm cluster on ARM
Building a Docker v1.12 Swarm cluster on ARMBuilding a Docker v1.12 Swarm cluster on ARM
Building a Docker v1.12 Swarm cluster on ARM
 
FPM at the Ruby Drink-up of Sophia, September 2011
FPM at the Ruby Drink-up of Sophia, September 2011FPM at the Ruby Drink-up of Sophia, September 2011
FPM at the Ruby Drink-up of Sophia, September 2011
 
Introduction to Resque
Introduction to ResqueIntroduction to Resque
Introduction to Resque
 
Jenkins and Docker for native Linux packages
Jenkins and Docker for native Linux packagesJenkins and Docker for native Linux packages
Jenkins and Docker for native Linux packages
 
Py conkr 20150829_docker-python
Py conkr 20150829_docker-pythonPy conkr 20150829_docker-python
Py conkr 20150829_docker-python
 
More than Applications: (Ab)using Docker to Improve the Portability of Everyt...
More than Applications: (Ab)using Docker to Improve the Portability of Everyt...More than Applications: (Ab)using Docker to Improve the Portability of Everyt...
More than Applications: (Ab)using Docker to Improve the Portability of Everyt...
 

Similar to Containers from Scratch: what are they made from?

Check the version with fixes. Link in description
Check the version with fixes. Link in descriptionCheck the version with fixes. Link in description
Check the version with fixes. Link in descriptionPrzemyslaw Koltermann
 
Develop QNAP NAS App by Docker
Develop QNAP NAS App by DockerDevelop QNAP NAS App by Docker
Develop QNAP NAS App by DockerTerry Chen
 
Using Nix and Docker as automated deployment solutions
Using Nix and Docker as automated deployment solutionsUsing Nix and Docker as automated deployment solutions
Using Nix and Docker as automated deployment solutionsSander van der Burg
 
Real World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionReal World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionBen Hall
 
Why you’re going to fail running java on docker!
Why you’re going to fail running java on docker!Why you’re going to fail running java on docker!
Why you’re going to fail running java on docker!Red Hat Developers
 
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)Patricia Aas
 
Scaling Development Environments with Docker
Scaling Development Environments with DockerScaling Development Environments with Docker
Scaling Development Environments with DockerDocker, Inc.
 
DCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker CaptainsDCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker CaptainsDocker, Inc.
 
carrow - Go bindings to Apache Arrow via C++-API
carrow - Go bindings to Apache Arrow via C++-APIcarrow - Go bindings to Apache Arrow via C++-API
carrow - Go bindings to Apache Arrow via C++-APIYoni Davidson
 
A million ways to provision embedded linux devices
A million ways to provision embedded linux devicesA million ways to provision embedded linux devices
A million ways to provision embedded linux devicesMender.io
 
Tips for better CI on Android
Tips for better CI on AndroidTips for better CI on Android
Tips for better CI on AndroidTomoaki Imai
 
Streamline your development environment with docker
Streamline your development environment with dockerStreamline your development environment with docker
Streamline your development environment with dockerGiacomo Bagnoli
 
Three Years of Lessons Running Potentially Malicious Code Inside Containers
Three Years of Lessons Running Potentially Malicious Code Inside ContainersThree Years of Lessons Running Potentially Malicious Code Inside Containers
Three Years of Lessons Running Potentially Malicious Code Inside ContainersBen Hall
 
Digital RSE: automated code quality checks - RSE group meeting
Digital RSE: automated code quality checks - RSE group meetingDigital RSE: automated code quality checks - RSE group meeting
Digital RSE: automated code quality checks - RSE group meetingHenry Schreiner
 
Docker Basics & Alfresco Content Services
Docker Basics & Alfresco Content ServicesDocker Basics & Alfresco Content Services
Docker Basics & Alfresco Content ServicesSujay Pillai
 
Hands on Docker - Launch your own LEMP or LAMP stack - SunshinePHP
Hands on Docker - Launch your own LEMP or LAMP stack - SunshinePHPHands on Docker - Launch your own LEMP or LAMP stack - SunshinePHP
Hands on Docker - Launch your own LEMP or LAMP stack - SunshinePHPDana Luther
 

Similar to Containers from Scratch: what are they made from? (20)

Docker as an every day work tool
Docker as an every day work toolDocker as an every day work tool
Docker as an every day work tool
 
Check the version with fixes. Link in description
Check the version with fixes. Link in descriptionCheck the version with fixes. Link in description
Check the version with fixes. Link in description
 
Develop QNAP NAS App by Docker
Develop QNAP NAS App by DockerDevelop QNAP NAS App by Docker
Develop QNAP NAS App by Docker
 
Using Nix and Docker as automated deployment solutions
Using Nix and Docker as automated deployment solutionsUsing Nix and Docker as automated deployment solutions
Using Nix and Docker as automated deployment solutions
 
Real World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionReal World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and Production
 
Why you’re going to fail running java on docker!
Why you’re going to fail running java on docker!Why you’re going to fail running java on docker!
Why you’re going to fail running java on docker!
 
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
 
Scaling Development Environments with Docker
Scaling Development Environments with DockerScaling Development Environments with Docker
Scaling Development Environments with Docker
 
DCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker CaptainsDCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker Captains
 
carrow - Go bindings to Apache Arrow via C++-API
carrow - Go bindings to Apache Arrow via C++-APIcarrow - Go bindings to Apache Arrow via C++-API
carrow - Go bindings to Apache Arrow via C++-API
 
A million ways to provision embedded linux devices
A million ways to provision embedded linux devicesA million ways to provision embedded linux devices
A million ways to provision embedded linux devices
 
App container rkt
App container rktApp container rkt
App container rkt
 
Docker practice
Docker practiceDocker practice
Docker practice
 
Tips for better CI on Android
Tips for better CI on AndroidTips for better CI on Android
Tips for better CI on Android
 
Streamline your development environment with docker
Streamline your development environment with dockerStreamline your development environment with docker
Streamline your development environment with docker
 
Three Years of Lessons Running Potentially Malicious Code Inside Containers
Three Years of Lessons Running Potentially Malicious Code Inside ContainersThree Years of Lessons Running Potentially Malicious Code Inside Containers
Three Years of Lessons Running Potentially Malicious Code Inside Containers
 
Digital RSE: automated code quality checks - RSE group meeting
Digital RSE: automated code quality checks - RSE group meetingDigital RSE: automated code quality checks - RSE group meeting
Digital RSE: automated code quality checks - RSE group meeting
 
Docker Basics & Alfresco Content Services
Docker Basics & Alfresco Content ServicesDocker Basics & Alfresco Content Services
Docker Basics & Alfresco Content Services
 
Hands on Docker - Launch your own LEMP or LAMP stack - SunshinePHP
Hands on Docker - Launch your own LEMP or LAMP stack - SunshinePHPHands on Docker - Launch your own LEMP or LAMP stack - SunshinePHP
Hands on Docker - Launch your own LEMP or LAMP stack - SunshinePHP
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
 

Recently uploaded

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 

Recently uploaded (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

Containers from Scratch: what are they made from?

  • 1. Containers from Scratch: what are they made from? GIRI KUNCORO
  • 2. Giri Kuncoro Senior System Engineer @GO-PAY Core Infrastructure github.com/girikuncoro
  • 3. Build Your Own Smartphone http://www.instructables.com/id/Build-Your-Own-Smartphone
  • 4. Raspberry Pi A+ 256 MB Adafruit FONA - Mini GSM Breakout GSM Antenna Electret Microphone 1200 mAh Lithium Ion Battery Ingredients
  • 5. Today Build a container without a container runtime, i.e. Docker, lxc, rkt
  • 6. Ingredient #1: Container Image TL;DR: nothing but tarball ● Application metadata ● Filesystem
  • 7. Ingredient #1: Container Image Container filesystem: looks like an OS; but no kernel, no init system
  • 8. Ingredient #1: Container Image Build root: http://www.buildroot.org/ Debootstrap: https://wiki.debian.org/Debootstrap YUM / DNF Gentoo: https://www.gentoo.org/downloads/ Buildah: https://github.com/projectatomic/buildah
  • 9. $ mkdir rootfs $ sudo dnf -y --installroot=$PWD/rootfs --releasever=24 install @development-tools procps-ng python3 which iproute net-tools $ ls rootfs
  • 10. Ingredient #2: chroot Execute a process in our container filesystem chroot(2): http://man7.org/linux/man-pages/man2/chroot.2.html
  • 11. $ sudo chroot rootfs /bin/bash
  • 12. Ingredient #3: namespaces Limit the “view” of a container: Process namespace (pid) Network namespace (net) Mount namespace (mnt) https://en.wikipedia.org/wiki/Linux_namespaces
  • 13. Ingredient #3: namespaces chroot of other systems: clone(2): http://man7.org/linux/man-pages/man2/clone.2.html unshare(2): http://man7.org/linux/man-pages/man2/unshare.2.html Process trees Network interfaces Mount volumes
  • 14. $ sudo unshare -p -f --mount-proc=$PWD/rootfs/proc chroot rootfs /bin/bash
  • 15. Ingredient #4: enter namespaces Namespaces are composable Example: Kubernetes pod setns(2): http://man7.org/linux/man-pages/man2/setns.2.html k8s pod di r p o s , di r c o t sa t o k, sa un
  • 16. # PID=321 # ls /proc/$PID/ns cgroup ipc mnt net pid user uts # nsenter --pid=/proc/$PID/ns/pid --mnt=/proc/$PID/ns/mnt chroot $PWD/rootfs /bin/bash
  • 17. Ingredient #5: volume mounts Inject files into our chroot $ docker run -d --name=nginxtest -v nginx-vol:/usr/share/nginx/html nginx:latest
  • 18. apiVersion: v1 kind: Pod metadata: name: test-pd spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume volumes: - name: test-volume hostPath: path: /data
  • 19. # nsenter --mount=/proc/$PID/ns/mnt mount --bind -o ro $PWD/readonlyfiles $PWD/rootfs/var/readonlyfiles
  • 20. Ingredient #6: cgroups Restrict resources for processes
  • 21. # ls /sys/fs/cgroup # mkdir /sys/fs/cgroup/memory/demo # echo $$ > /sys/fs/cgroup/memory/demo/tasks # cat /proc/self/cgroup
  • 22. # CGROUP=/sys/fs/cgroup/memory/demo # echo “100000000” > $CGROUP/memory.limit_in_bytes # echo “0” > $CGROUP/memory.swappiness # python3 hungry.py
  • 23. Ingredient #7: cgroup namespace Q: How do you restrict a process from reassigning cgroup? A: More namespaces!
  • 24. # unshare -C # cat /proc/self/cgroup
  • 25. # (how to remove cgroups: reassign) # echo $$ > /sys/fs/cgroup/memory/tasks # rmdir /sys/fs/cgroup/memory/demo
  • 26. Ingredient #8: capabilities “Docker is about running random code downloaded from Internet and running it as root” - Dan Walsh (Red Hat)
  • 27. Ingredient #8: capabilities SELinux, seccomp, AppArmor should’ve been covered Show Linux capabilities instead http://man7.org/linux/man-pages/man7/capabilities.7.html
  • 28. $ go build -o /tmp/listen listen.go $ sudo setcap cap_net_bind_service=+ep /tmp/listen $ getcap /tmp/listen
  • 29. $ sudo capsh --print $ sudo capsh --drop=cap_chown --
  • 30. Ingredient #9: network namespace Huge topic, will do simple demo for now For the impatient, probably next talk: https://github.com/girikuncoro/netns-demo
  • 31. $ sudo unshare -n chroot rootfs # ip addr # ip link set dev lo up
  • 32. $ sudo ip link add veth0 type veth peer name veth1 $ sudo ip link set veth1 netns $PID $ sudo ip address add 10.1.1.2/24 dev veth0 $ sudo ip link set dev veth0 up # (inside namespace) # ip address add 10.1.1.3/24 dev veth1 # ip link set dev veth1 up
  • 33. Conclusion Containers are a combination between Linux kernel features Docker, rkt, lxc (container runtime) are just opinionated wrapper around these
  • 34. References Containers from scratch, Eric Chiang https://ericchiang.github.io/post/containers-from-scratch/ Building minimal containers, Brian Redbeard https://github.com/brianredbeard/minimal_containers Namespaces in operation, Michael Kerrisk https://lwn.net/Articles/531114/ cgroups v1, Paul Menage https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt Bocker, Docker implemented in 100 lines of bash https://github.com/p8952/bocker