The latest releases of today’s popular Linux distributions include all the tools needed to do interesting things with Linux containers.
For the Makefile MicroVPS project, I set out to build a minimal virtual private server-like environment in a Linux container from scratch.
These are my requirements for the MicroVPS:
Minimal init sequence
Most of what happens in a rc.sysinit file is not needed (or wanted) in a container. However, to work like a virtual private server, the MicroVPS will need some kind of init system. The absolute minimum would be enough to start the network and at least one service.
Native network namespace
The MicroVPS will have a dedicated network namespace. It should be easy to configure.
Native package management
The package set installed in the container image will be managed using native tools like deb or rpm.
Automated build
An automated repeatable build process is a must.
Fast iteration cycle
The building and testing cycle must be fast enough not to drive me insane.
Easy management
It should be easy to distribute, monitor, and run a MicroVPS container.
In this tutorial, I will show how to use the tools included with Linux to build a virtual private server in a Linux container from scratch, using GNU Make to automate the build process.
While probably the most prominent, Docker is not the only tool for building and managing containers. Originally meant to be a "chroot on steroids" to help debug systemd, systemd-nspawn provides a fairly uncomplicated approach to work with containers. Being part of systemd, it is available on most recent distributions out-of-the-box and requires no additional dependencies.
This deck will introduce a few concepts involved in containers and will guide you through the steps of building a container from scratch. The payload will be a simple service, which will be automatically activated by systemd when the first request arrives.
An introduction to Linux Container, Namespace & Cgroup.
Virtual Machine, Linux operating principles. Application constraint execution environment. Isolate application working environment.
While probably the most prominent, Docker is not the only tool for building and managing containers. Originally meant to be a "chroot on steroids" to help debug systemd, systemd-nspawn provides a fairly uncomplicated approach to work with containers. Being part of systemd, it is available on most recent distributions out-of-the-box and requires no additional dependencies.
This deck will introduce a few concepts involved in containers and will guide you through the steps of building a container from scratch. The payload will be a simple service, which will be automatically activated by systemd when the first request arrives.
An introduction to Linux Container, Namespace & Cgroup.
Virtual Machine, Linux operating principles. Application constraint execution environment. Isolate application working environment.
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
Containers are everywhere. But what exactly is a container? What are they made from? What's the difference between LXC, butts-nspawn, Docker, and the other container systems out there? And why should we bother about specific filesystems?
In this talk, Jérôme will show the individual roles and behaviors of the components making up a container: namespaces, control groups, and copy-on-write systems. Then, he will use them to assemble a container from scratch, and highlight the differences (and likelinesses) with existing container systems.
Advanced cgroups and namespaces
This talk picks up where we left off in the previous cgroups and namespaces talk and dive in even deeper!
Agenda:
* cgroups v2 design (cgroup v2 was started to be merged in the current kernel, 4.4)
* cgroups v2 examples (migrating tasks, enabling and disabling controllers, and more).
* comparison between cgroup v2 unified hierarchy and cgroup v1 legacy hierarchy.
* PIDs namespaces (from kernel 4.3)
* cgroup namespaces (not merged yet)
Docker storage drivers by Jérôme PetazzoniDocker, Inc.
The first release of Docker only supported AUFS, and AUFS was available (out of the box) only on Debian and Ubuntu kernel. Then Red Hat wanted Docker to run on its distros, and contributed the Device Mapper driver, and later the BTRFS driver, and recently the overlayfs driver.
Jérôme presents how those drivers compare from a high-level perspective, explaining their pros and cons.
Then he showed each driver in action, and look at low-level implementation details. We won't dive into the golang implementation code itself, but we will explain the concepts of each driver. This will help to better understand how they work, and give some hints when it comes to troubleshoot their behaviour.
Linux Containers(LXC) allow running multiple isolated Linux instances (containers) on the same host.
Containers share the same kernel with anything else that is running on it, but can be constrained to only use a defined amount of resources such as CPU, memory or I/O.
A container is a way to isolate a group of processes from the others on a running Linux system.
Union FileSystem - A Building Blocks Of a ContainerKnoldus Inc.
Namespace, CGroup, and Union file-system are the basic building blocks of a container. Let’s have our focus on file-system. Why yet another file-system for the container? Is Conventional Linux file-systems like ext2, ext3, ext4, XFS, etc. not good enough to meet the purpose? In this blog post, I will try to answer these questions. Here we will be delving deeply into the Union File System and a few of its essential properties.
USENIX ATC 2017 Performance Superpowers with Enhanced BPFBrendan Gregg
Talk for USENIX ATC 2017 by Brendan Gregg
"The Berkeley Packet Filter (BPF) in Linux has been enhanced in very recent versions to do much more than just filter packets, and has become a hot area of operating systems innovation, with much more yet to be discovered. BPF is a sandboxed virtual machine that runs user-level defined programs in kernel context, and is part of many kernels. The Linux enhancements allow it to run custom programs on other events, including kernel- and user-level dynamic tracing (kprobes and uprobes), static tracing (tracepoints), and hardware events. This is finding uses for the generation of new performance analysis tools, network acceleration technologies, and security intrusion detection systems.
This talk will explain the BPF enhancements, then discuss the new performance observability tools that are in use and being created, especially from the BPF compiler collection (bcc) open source project. These tools provide new insights for file system and storage performance, CPU scheduler performance, TCP performance, and much more. This is a major turning point for Linux systems engineering, as custom advanced performance instrumentation can be used safely in production environments, powering a new generation of tools and visualizations.
Because these BPF enhancements are only in very recent Linux (such as Linux 4.9), most companies are not yet running new enough kernels to be exploring BPF yet. This will change in the next year or two, as companies including Netflix upgrade their kernels. This talk will give you a head start on this growing technology, and also discuss areas of future work and unsolved problems."
Agenda:
Have you ever wondered what happens when the kernel fires up? What is going on under the hood before init process is executed?
This talk will go into great depths explaining the entire process. From linker tricks and init sections to mounting and locating the init process to execute.
Speaker:
Boaz Taitler, experienced kernel developer.
Make Your Containers Faster: Linux Container Performance ToolsKernel TLV
If you look under the hood, Linux containers are just processes with some isolation features and resource quotas sprinkled on top. In this talk, we will apply modern Linux performance tools to container analysis: get high-level resource utilization on running containers with docker stats, htop, and nsenter; dig into high-CPU issues with perf; detect slow filesystem latency with BPF-based tools; and generate flame graphs of interesting event call stacks.
Sasha Goldshtein is the CTO of Sela Group, a Microsoft MVP and Regional Director, Pluralsight and O'Reilly author, and international consultant and trainer. Sasha is the author of two books and multiple online courses, and a prolific blogger. He is also an active open source contributor to projects focused on system diagnostics, performance monitoring, and tracing -- across multiple operating systems and runtimes. Sasha authored and delivered training courses on Linux performance optimization, event tracing, production debugging, mobile application development, and modern C++. Between his consulting engagements, Sasha speaks at international conferences world-wide.
You can find more details on the meetup page - https://www.meetup.com/Tel-Aviv-Yafo-Linux-Kernel-Meetup/events/245319189/
LXC, Docker, security: is it safe to run applications in Linux Containers?Jérôme Petazzoni
Linux Containers (or LXC) is now a popular choice for development and testing environments. As more and more people use them in production deployments, they face a common question: are Linux Containers secure enough? It is often claimed that containers have weaker isolation than virtual machines. We will explore whether this is true, if it matters, and what can be done about it.
Internal presentation of Docker, Lightweight Virtualization, and linux Containers; at Spotify NYC offices, featuring engineers from Yandex, LinkedIn, Criteo, and NASA!
Drupaljam 2017 - Deploying Drupal 8 onto Hosted Kubernetes in Google CloudDropsolid
In this presentation I explain using video examples how kubernetes works and how this can be used to host your Drupal 7 or 8 site. There are obviously also gotcha's and I'd like to warn you to not use this in production until you've verified it
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
Containers are everywhere. But what exactly is a container? What are they made from? What's the difference between LXC, butts-nspawn, Docker, and the other container systems out there? And why should we bother about specific filesystems?
In this talk, Jérôme will show the individual roles and behaviors of the components making up a container: namespaces, control groups, and copy-on-write systems. Then, he will use them to assemble a container from scratch, and highlight the differences (and likelinesses) with existing container systems.
Advanced cgroups and namespaces
This talk picks up where we left off in the previous cgroups and namespaces talk and dive in even deeper!
Agenda:
* cgroups v2 design (cgroup v2 was started to be merged in the current kernel, 4.4)
* cgroups v2 examples (migrating tasks, enabling and disabling controllers, and more).
* comparison between cgroup v2 unified hierarchy and cgroup v1 legacy hierarchy.
* PIDs namespaces (from kernel 4.3)
* cgroup namespaces (not merged yet)
Docker storage drivers by Jérôme PetazzoniDocker, Inc.
The first release of Docker only supported AUFS, and AUFS was available (out of the box) only on Debian and Ubuntu kernel. Then Red Hat wanted Docker to run on its distros, and contributed the Device Mapper driver, and later the BTRFS driver, and recently the overlayfs driver.
Jérôme presents how those drivers compare from a high-level perspective, explaining their pros and cons.
Then he showed each driver in action, and look at low-level implementation details. We won't dive into the golang implementation code itself, but we will explain the concepts of each driver. This will help to better understand how they work, and give some hints when it comes to troubleshoot their behaviour.
Linux Containers(LXC) allow running multiple isolated Linux instances (containers) on the same host.
Containers share the same kernel with anything else that is running on it, but can be constrained to only use a defined amount of resources such as CPU, memory or I/O.
A container is a way to isolate a group of processes from the others on a running Linux system.
Union FileSystem - A Building Blocks Of a ContainerKnoldus Inc.
Namespace, CGroup, and Union file-system are the basic building blocks of a container. Let’s have our focus on file-system. Why yet another file-system for the container? Is Conventional Linux file-systems like ext2, ext3, ext4, XFS, etc. not good enough to meet the purpose? In this blog post, I will try to answer these questions. Here we will be delving deeply into the Union File System and a few of its essential properties.
USENIX ATC 2017 Performance Superpowers with Enhanced BPFBrendan Gregg
Talk for USENIX ATC 2017 by Brendan Gregg
"The Berkeley Packet Filter (BPF) in Linux has been enhanced in very recent versions to do much more than just filter packets, and has become a hot area of operating systems innovation, with much more yet to be discovered. BPF is a sandboxed virtual machine that runs user-level defined programs in kernel context, and is part of many kernels. The Linux enhancements allow it to run custom programs on other events, including kernel- and user-level dynamic tracing (kprobes and uprobes), static tracing (tracepoints), and hardware events. This is finding uses for the generation of new performance analysis tools, network acceleration technologies, and security intrusion detection systems.
This talk will explain the BPF enhancements, then discuss the new performance observability tools that are in use and being created, especially from the BPF compiler collection (bcc) open source project. These tools provide new insights for file system and storage performance, CPU scheduler performance, TCP performance, and much more. This is a major turning point for Linux systems engineering, as custom advanced performance instrumentation can be used safely in production environments, powering a new generation of tools and visualizations.
Because these BPF enhancements are only in very recent Linux (such as Linux 4.9), most companies are not yet running new enough kernels to be exploring BPF yet. This will change in the next year or two, as companies including Netflix upgrade their kernels. This talk will give you a head start on this growing technology, and also discuss areas of future work and unsolved problems."
Agenda:
Have you ever wondered what happens when the kernel fires up? What is going on under the hood before init process is executed?
This talk will go into great depths explaining the entire process. From linker tricks and init sections to mounting and locating the init process to execute.
Speaker:
Boaz Taitler, experienced kernel developer.
Make Your Containers Faster: Linux Container Performance ToolsKernel TLV
If you look under the hood, Linux containers are just processes with some isolation features and resource quotas sprinkled on top. In this talk, we will apply modern Linux performance tools to container analysis: get high-level resource utilization on running containers with docker stats, htop, and nsenter; dig into high-CPU issues with perf; detect slow filesystem latency with BPF-based tools; and generate flame graphs of interesting event call stacks.
Sasha Goldshtein is the CTO of Sela Group, a Microsoft MVP and Regional Director, Pluralsight and O'Reilly author, and international consultant and trainer. Sasha is the author of two books and multiple online courses, and a prolific blogger. He is also an active open source contributor to projects focused on system diagnostics, performance monitoring, and tracing -- across multiple operating systems and runtimes. Sasha authored and delivered training courses on Linux performance optimization, event tracing, production debugging, mobile application development, and modern C++. Between his consulting engagements, Sasha speaks at international conferences world-wide.
You can find more details on the meetup page - https://www.meetup.com/Tel-Aviv-Yafo-Linux-Kernel-Meetup/events/245319189/
LXC, Docker, security: is it safe to run applications in Linux Containers?Jérôme Petazzoni
Linux Containers (or LXC) is now a popular choice for development and testing environments. As more and more people use them in production deployments, they face a common question: are Linux Containers secure enough? It is often claimed that containers have weaker isolation than virtual machines. We will explore whether this is true, if it matters, and what can be done about it.
Internal presentation of Docker, Lightweight Virtualization, and linux Containers; at Spotify NYC offices, featuring engineers from Yandex, LinkedIn, Criteo, and NASA!
Drupaljam 2017 - Deploying Drupal 8 onto Hosted Kubernetes in Google CloudDropsolid
In this presentation I explain using video examples how kubernetes works and how this can be used to host your Drupal 7 or 8 site. There are obviously also gotcha's and I'd like to warn you to not use this in production until you've verified it
Code testing and Continuous Integration are just the first step in a source code to production process. Combined with infrastructure-as-code tools such as Puppet the whole process can be automated, and tested!
How we used ruby to build locaweb's cloud (http://presentations.pothix.com/ru...Willian Molinari
**The slides are not correctly rendered. The HTML/Javascript version is here: http://presentations.pothix.com/rubyconf2013/**
This presentation shows what we have done with Ruby to create Locaweb's cloud computing product.
The slides from my July Django-District presentation. It shows some of the basics of using the new fabric. I have uploaded the example fabfile.py to slideshare as well.
Chris Swan ONUG Academy - Container Networks TutorialCohesive Networks
Slides from Chris Swan's ONUG Academy "Hands-On Container Networks" on May 12, 2015
This hands on session will begin by looking at how Docker modifies a Linux host to enable containers to be connected to a network. It will then go through how applications running in containers can be connected together, and the different options for interconnectivity on a host and between hosts. Finally we will take a look at running network application services inside of containers.
Syllabus
Learn what Docker does to your Linux host on installation.
Connect applications running across multiple containers using configuration metadata and compositing tools.
Understand the different Docker networking modes (host, container, none).
Using Pipework to customise network configuration.
Connecting containers across VMs using Open vSwitch.
Using containers for application network services sush as proxies, load balancers and for TLS termination
Learning Objective 1: Understand how containers relate to the host network, and the consequences that has for services running within containers
Learning Objective 2: Understand the different ways that containers can be networked and internetworked.
Learning Objective 3: Use containers to run network application services.
About the topic:
Containers aren’t a new thing, but the Docker project has made them a hot topic as organisations look at new ways to build, ship and run their applications. This brings new challenges for the network as containers are likely to be ten times as numerous as virtual machines. At the same time there is regulatory pressure to move away from the flat LAN model and deliver greater separation and segregation. This presentation will look at how these two forces are coming together, firstly by examining how containers are networked and some of the new approaches and challenges that come with that. This will be followed by a look at how overlay networks are being deployed to achieve ‘microsegmentation’, and ultimately drive a shift towards application centric networking. Of course these forces will collide, bringing us to contained networks of containers.
Automatic systems installations and change management wit FAI - Talk for Netw...Henning Sprang
How long does it take you, to recover an arbitrary server, or duplicate an arbitrary running configuration to a new system? Especially in the latter case without a full-backup, which would contain a wrong IP Address, Hostname and other things and would therefore eventually break some things - and are storage-exhaustive.
Get into FAI - Fully Automatic Installation.
FAI http://www.informatik.uni-koeln.de/fai/) is a framework for completely automated installations - via LAN, CD or USB stick, as well as configuration management for running systems. The concept "Plan your installation, and FAi installs your plan" supports, but also requires building a well planned and documented infrastructure. Configuration properties can be defined into the smallest possible Detail, and then be arbitrarily combined - a great advantage in environments with many different system types, which at the same time share one or multiple common bases and settings. FAI makes it possible to install and change many different systems at the same time.
In addition to all these things, with the grml-live software, FAI can even be used to build live cd's/usb sticks. This talk will give an overview of the functionality and possibilities of FAI, including a comparison with the also renowned software for similar, but not completely the same tasks, Puppet - which can even be integrated into FAI.
Introduction what is container and how to use it. staring from the comparison to virtual machine and also show how to use the persistent storage and port mapping in containers.
In the last part, shows what is kubernetes and what kind of problems kubernetes want to solve and how it solves.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
18. LINUX CONTAINERS FROM SCRATCH
PHILOSOPHY OF RELIABLE SYSTEMS
▸ standard > disruptive
▸ battle tested > new
▸ simple > complex
▸ modular > monolithic
▸ built-in > add-on
19. LINUX CONTAINERS FROM SCRATCH
CONTAINER BUILDING TOOLS
▸ make
▸ yum
▸ systemd
▸ iproute2
▸ rsync
▸ bridge-utils
22. LINUX CONTAINERS FROM SCRATCH
SETUP DEVELOPMENT SYSTEM
▸ Install packages
yum -y install bridge-utils rsync iptables-services
▸ Mount the CentOS 7 iso
mkdir /mnt/cdrom
mount -oloop,ro CentOS-7-x86_64-DVD-1503-01.iso /mnt/cdrom
23. LINUX CONTAINERS FROM SCRATCH
SETUP DEVELOPMENT SYSTEM
▸ Disable firewalld
systemctl stop firewalld
systemctl disable firewalld
▸ Disable selinux
setenforce 0
sed -ie 's/=enforcing/=permissive/' /etc/sysconfig/selinux
24. LINUX CONTAINERS FROM SCRATCH
SETUP CONTAINER NETWORKING
▸ Create the file /etc/sysconfig/network-scripts/ifcfg-mvpsbr0
NAME=mvpsbr0
IPADDR=10.100.10.1
NETMASK=255.255.255.0
TYPE=Bridge
BOOTPROTO=none
DEVICE=mvpsbr0
NM_MANAGED=no
ONBOOT=yes
25. LINUX CONTAINERS FROM SCRATCH
SETUP CONTAINER NETWORKING
▸ Activate the new ethernet bridge
ifup mvpsbr0
▸ Verify the configuration
ip addr show mvpsbr0
26. LINUX CONTAINERS FROM SCRATCH
SETUP CONTAINER NETWORKING
▸ Enable IP routing
echo “net.ipv4.ip_forward = 1” > /etc/sysctl.d/lcfs.conf
sysctl -p /etc/sysctl.d/lcfs.conf
▸ Setup IP masquerading for container network
iptables -t nat -A POSTROUTING -s 10.100.10.0/24 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
systemctl enable iptables
27. LINUX CONTAINERS FROM SCRATCH
SETUP DEVELOPMENT SYSTEM
▸ Edit /etc/sysconfig/grub
GRUB_CMDLINE_LINUX=“(…truncated…) crashkernel=auto rhgb quiet audit=0”
▸ Rebuild grub configuration
grub2-mkconfig -o /boot/grub2/grub.cfg
▸ Reboot
28. LINUX CONTAINERS FROM SCRATCH
SETUP YUM FOR CONTAINER BUILDING
▸ Create a yum.conf
[main]
assumeyes=1
keepcache=0
tsflags=nodocs
gpgcheck=1
plugins=0
distroverpkg=centos-release
reposdir=/dev/null
[cdrom]
name=CentOS-7 - Base
baseurl=file:///mnt/cdrom
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
29. LINUX CONTAINERS FROM SCRATCH
CREATE AN EMPTY CONTAINER PROJECT
▸ Make a directory
mkdir container1
▸ Make an “fstree” sub-directory
mkdir container1/fstree
▸ Add a makefile
touch container1/Makefile
30. LINUX CONTAINERS FROM SCRATCH
PROJECT LAYOUT
▸ project layout
microvps/
container1/
fstree/
Makefile
container2/
fstree/
Makefile
yum.conf
33. LINUX CONTAINERS FROM SCRATCH
CREATE A CONTAINER MAKEFILE
NAME := web1
PACKAGES := '@^Minimal Install' httpd
IP_ADDR := 10.100.10.21/24
GATEWAY := 10.100.10.1
ROOTFS := rootfs
YUM_CONF := ../yum.conf
CENTOS_VER := 7
FSTREE := fstree
34. LINUX CONTAINERS FROM SCRATCH
CREATE A CONTAINER MAKEFILE
container:
mkdir -vp $(ROOTFS)
# install packages
yum --config=$(YUM_CONF)
--installroot=$(abspath $(ROOTFS))
--releasever=$(CENTOS_VER)
install $(PACKAGES)
# clean up metadata
yum --config=$(YUM_CONF)
--installroot=$(abspath $(ROOTFS))
--releasever=$(CENTOS_VER)
clean all
# install custom files
rsync -av $(FSTREE)/ $(ROOTFS)
35. LINUX CONTAINERS FROM SCRATCH
CREATE A CONTAINER MAKEFILE
test:
# add a network namespace
ip netns add $(NAME)
# add a linked virtual network device pair
ip link add mvps-$(NAME) type veth peer name xmvps-$(NAME)
# move one into the namespace
ip link set xmvps-$(NAME) netns $(NAME)
# add the other to the bridge
brctl addif $(BRIDGE) mvps-$(NAME)
ip link set mvps-$(NAME) up
# rename it
ip netns exec $(NAME) ip link set xmvps-$(NAME) name eth0
# configure it
ip netns exec $(NAME) ip link set eth0 up
ip netns exec $(NAME) ip addr add $(IP_ADDR) dev eth0
ip netns exec $(NAME) ip route add default via $(GATEWAY)
# launch it
ip netns exec $(NAME) systemd-nspawn -M $(NAME) -D $(ROOTFS) -b || true
# remove network namespace
ip netns del $(NAME)
37. LINUX CONTAINERS FROM SCRATCH
POPULATE THE FSTREE
fstree/etc/passwd
fstree/etc/shadow
fstree/etc/group
fstree/etc/systemd/system/multi-user.target.wants/httpd.service
fstree/var/www/html/index.html
41. LINUX CONTAINERS FROM SCRATCH
POPULATE THE FSTREE
fstree/etc/passwd
fstree/etc/shadow
fstree/etc/group
fstree/etc/systemd/system/multi-user.target.wants/httpd.service
fstree/var/www/html/index.html
fstree/etc/systemd/system/default.target
fstree/etc/systemd/system/httpd.service
fstree/etc/systemd/system/multi-user.target.wants/sshd.service
fstree/lib/systemd/system/sysinit.target.wants/systemd-tmpfiles-setup.service
fstree/lib/systemd/system/sysinit.target.wants/systemd-update-utmp.service
42. LINUX CONTAINERS FROM SCRATCH
UPDATE THE HTTPD SERVICE FILE
[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target
Wants=systemd-tmpfiles-setup.service
(…truncated…)
48. LINUX CONTAINERS FROM SCRATCH
CREATE A CONTAINER MAKEFILE
$(NAME).service: systemd.service.in
sed -e 's;EnvironmentFile=;EnvironmentFile=$(INSTALL_PATH)/$(NAME)/$(NAME).conf;'
< systemd.service.in
> $(NAME).service
49. LINUX CONTAINERS FROM SCRATCH
CONFIGURE ENVIRONMENT FOR SYSTEMD UNIT
▸ MicroVPS config file
NAME=web3
ROOTFS=/home/microvps/web3/rootfs
BRIDGE=mvpsbr0
IP_ADDR=10.100.10.23/24
GATEWAY=10.100.10.1
50. LINUX CONTAINERS FROM SCRATCH
SYSTEMD UNIT FILE
[Unit]
Description=MicroVPS Container Server
After=network.target
[Service]
EnvironmentFile=
ExecStartPre=/usr/sbin/ip netns add ${NAME}
ExecStartPre=/usr/sbin/ip link add mvps-${NAME} type veth peer name xmvps-${NAME}
ExecStartPre=/usr/sbin/ip link set xmvps-${NAME} netns ${NAME}
ExecStartPre=/usr/sbin/brctl addif ${BRIDGE} mvps-${NAME}
ExecStartPre=/usr/sbin/ip link set mvps-${NAME} up
ExecStartPre=/usr/sbin/ip netns exec ${NAME} /usr/sbin/ip link set xmvps-${NAME} name eth0
ExecStartPre=/usr/sbin/ip netns exec ${NAME} /usr/sbin/ip link set eth0 up
ExecStartPre=/usr/sbin/ip netns exec ${NAME} /usr/sbin/ip addr add ${IP_ADDR} dev eth0
ExecStartPre=/usr/sbin/ip netns exec ${NAME} /usr/sbin/ip route add default via ${GATEWAY}
ExecStart=/usr/sbin/ip netns exec ${NAME} /usr/bin/systemd-nspawn -M ${NAME} -D ${ROOTFS} -b
ExecStopPost=/usr/sbin/ip netns del ${NAME}
KillMode=process
51. LINUX CONTAINERS FROM SCRATCH
SYSTEMD UNIT FILE
[Unit]
Description=MicroVPS Container Server
After=network.target
[Service]
EnvironmentFile=
ExecStartPre=/usr/sbin/ip netns add ${NAME}
ExecStartPre=/usr/sbin/ip link add mvps-${NAME} type veth peer name xmvps-${NAME}
ExecStartPre=/usr/sbin/ip link set xmvps-${NAME} netns ${NAME}
ExecStartPre=/usr/sbin/brctl addif ${BRIDGE} mvps-${NAME}
ExecStartPre=/usr/sbin/ip link set mvps-${NAME} up
ExecStartPre=/usr/sbin/ip netns exec ${NAME} /usr/sbin/ip link set xmvps-${NAME} name eth0
ExecStartPre=/usr/sbin/ip netns exec ${NAME} /usr/sbin/ip link set eth0 up
ExecStartPre=/usr/sbin/ip netns exec ${NAME} /usr/sbin/ip addr add ${IP_ADDR} dev eth0
ExecStartPre=/usr/sbin/ip netns exec ${NAME} /usr/sbin/ip route add default via ${GATEWAY}
ExecStart=/usr/sbin/ip netns exec ${NAME} /usr/bin/systemd-nspawn -M ${NAME} -D ${ROOTFS} -b
ExecStopPost=/usr/sbin/ip netns del ${NAME}
KillMode=process
52. LINUX CONTAINERS FROM SCRATCH
SYSTEMD UNIT FILE
[Unit]
Description=MicroVPS Container Server
After=network.target
[Service]
EnvironmentFile=
ExecStartPre=/usr/sbin/ip netns add ${NAME}
ExecStartPre=/usr/sbin/ip link add mvps-${NAME} type veth peer name xmvps-${NAME}
ExecStartPre=/usr/sbin/ip link set xmvps-${NAME} netns ${NAME}
ExecStartPre=/usr/sbin/brctl addif ${BRIDGE} mvps-${NAME}
ExecStartPre=/usr/sbin/ip link set mvps-${NAME} up
ExecStartPre=/usr/sbin/ip netns exec ${NAME} /usr/sbin/ip link set xmvps-${NAME} name eth0
ExecStartPre=/usr/sbin/ip netns exec ${NAME} /usr/sbin/ip link set eth0 up
ExecStartPre=/usr/sbin/ip netns exec ${NAME} /usr/sbin/ip addr add ${IP_ADDR} dev eth0
ExecStartPre=/usr/sbin/ip netns exec ${NAME} /usr/sbin/ip route add default via ${GATEWAY}
ExecStart=/usr/sbin/ip netns exec ${NAME} /usr/bin/systemd-nspawn -M ${NAME} -D ${ROOTFS} -b
ExecStopPost=/usr/sbin/ip netns del ${NAME}
KillMode=process
55. LINUX CONTAINERS FROM SCRATCH
SYSTEMD UNIT FILE
[Unit]
Description=MicroVPS Container Server
After=network.target
[Service]
MemoryAccounting=yes
MemoryLimit=64M
(…truncated…)