This document discusses Linux containers and provides an overview of their internals. It notes that containers were not originally based on any standard but that the Open Container Initiative (OCI) later established standards. It describes key components of containers like OCI-compliant images and runtimes, chroot technology, and union mount file systems. It also discusses cgroups and how they were introduced in Linux kernels starting in version 2.6.24 to provide kernel-level resource controls for processes like CPU and disk limits.

1. Hacking Containers
Linux Containers

2. Eng Teong Cheah
Microsoft MVP

3. Linux Containers
An image format compliant with the Open Container Initiative (OCI)
An OCI-compliant runtime
An OCI-compliant distribution
Chroot, which is technology that changes the root directory for a process and its children
Union mount file systems, such as Overlay2, Overlay, and Aufs

4. Container Internals
Not based on any standard when they were first conceived of
In fact, the Open Container Initiative (OCI) was established in 2015 by the Docker
company.
Many frameworks created their own standards for how to interact with the kernel. This
has led to many different types of container runtimes in one form or another over the last
several years.
Regardless of the differences in Linux containers, many of the initial constructs remain the
same.

5. Cgroups
Starting in version 2.6.24 of the Linux Kernel, a functionality know as control groups, or
cgroups for short, was released.
The latest release of cgroups (cgroups v2) was introduced in Kernel 4.5 and brings
security enhancements to the systems.
Controls groups are a series of kernel-level resource controls for processes that can
include the ability to limit a series of kernel-level resource controls for processes that can
include the ability to limit resources, such as CPU, network, and disk, and isolate those
resources from one another.

6. Demo
Setup of our
Environment

7. References
Gray Hat Hacking, Sixth Edition