Uploaded byjoshuasoundcloud
PDF, PPTX5,216 views

Linux Containers From Scratch

The document outlines a comprehensive guide for setting up and utilizing Linux containers, detailing the necessary packages and configuration steps for systemd, namespaces, and cgroups. It includes various demo examples for creating minimal containers, building container images, and configuring networks and services within containers. Additionally, it covers managing CPU access, creating layered container images with aufs, and installing a complete operating system using Yum.

Embed presentation

Download as PDF, PPTX
Linux Containers From Scratch Joshua Hoffman Velocity Europe 2014
Recommended mirror: http://ftp.es.debian.org SETUP INSTALL PACKAGES Install packages: ● vim ● screen ● lftp ● busybox-static ● systemd ● yum ● qemu-utils ● aufs-tools ● pbzip2 ● htop
1. Edit /etc/default/grub change the line: GRUB_CMDLINE_LINUX="" to: GRUB_CMDLINE_LINUX="init=/bin/systemd" 2. Run the grub updater: update-grub2 3. Reboot SETUP CONFIGURE SYSTEMD
THE CLOUD LINUX CONTAINERS
THE CLOUD LINUX CONTAINERS FREE LUNCH
DO NOT EXIST
IDEAS NOT THINGS
PORTABILITY
ISOLATION
VIRTUAL MACHINE ENVIRONMENT
A logically isolated virtual environment. A Linux Container
FUNDAMENTALLY DIFFERENT THAN VIRTUAL MACHINES
TRANSPARENT
Running in a Virtual Machine as viewed from the host os # ps x PID TTY STAT TIME COMMAND 689 ? R 1:06 qemu-kvm
Running in a Linux Container as viewed from the host os # ps x PID TTY STAT TIME COMMAND 5347 ? R 2:22 unicorn_rails master -D -c kiffen.rb
NAMESPACES
NAMESPACES: NETWORK
NETWORK NAMESPACE as viewed from iproute2 $ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP qlen 1000 link/ether 00:01:2e:3b:be:14 brd ff:ff:ff:ff:ff:ff inet 10.21.0.22/24 brd 10.21.0.255 scope global br0 inet6 fe80::201:2eff:fe3b:be14/64 scope link valid_lft forever preferred_lft forever
NAMESPACES: MOUNT
MOUNT NAMESPACE as viewed from ls $ ls / bin etc lib media proc sbin sys var boot home lib64 mnt root selinux tmp dev lost+found opt run srv usr
NAMESPACES: PID
PID NAMESPACE as viewed from ps # ps x PID TTY STAT TIME COMMAND 5347 ? R 2:22 unicorn_rails master -D -c kiffen.rb
CGROUPS
CGROUPS as viewed from ls # ls -F /sys/fs/cgroup/ blkio/ cpu@ cpuacct@ cpu,cpuacct/ cpuset/ devices/ freezer/ net_cls/ perf_event/ systemd/ # ls -F /sys/fs/cgroup/cpuset cpuset.mem_exclusive cgroup.procs cpuset.memory_migrate cpuset.mems cpuset.cpu_exclusive tasks cpuset.cpus (...output truncated…)
DEMO: exploring containers with busybox
Minimal Busybox Container # mkdir -p {minimal,minimal/usr}/{bin,sbin,etc} # for x in $(busybox --list-full); do > ln -s /bin/sh minimal/$x; done # cp -f /bin/busybox minimal/bin/sh # touch minimal/etc/os-release
Running The Container Private mount namespace: # chroot minimal /bin/sh Private mount and pid namespace # systemd-nspawn -Dminimal /bin/sh Private mount, pid, and network namespace # systemd-nspawn --private-network -Dminimal /bin/sh
DEMO: building a container image with cpio
Build A Container Image With cpio # find minimal -print | cpio -o | > pbzip2 -c > minimal.cpio.bz2 # ls -lh minimal.cpio.bz2 -rw-r--r-- 1 root root 852K Nov 18 12:48 minimal.cpio.bz2
DEMO: limiting cpu access with cgroups
Limiting CPU Access With cgroups # dd if=/dev/urandom of=datafile bs=1M count=100 # time pbzip2 -k -9 datafile # mkdir /sys/fs/cgroup/cpuset/my_cpuset # echo 0 > /sys/fs/cgroup/cpuset/my_cpuset/cpuset.cpus # echo 0 > /sys/fs/cgroup/cpuset/my_cpuset/cpuset.mems # echo $$ > /sys/fs/cgroup/cpuset/my_cpuset/tasks # time pbzip2 -k -9 datafile
DEMO: connect a container to the network
Connect The Network With iproute2 # ip netns add minimal # ip link add eth1 type veth peer name veth1 # ip link set eth1 netns minimal # ip a add 10.0.0.1/24 dev veth1 # ip l set veth1 up # ip netns exec minimal chroot minimal /bin/sh (in the container) # ip a add 10.0.0.2/24 dev eth1 # ip l set eth1 up
DEMO: installing a service stack with yum
SETUP CONFIGURE YUM Create a file called yum.conf with the following contents: [main] cachedir=/var/cache/yum keepcache=1 debuglevel=2 logfile=/var/log/yum.log exactarch=1 obsoletes=1 [base] name=CentOS-7 - Base #mirrorlist=http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os baseurl=http://192.168.56.1/centos/ gpgcheck=0 enabled=1
Install A Service Stack With yum # mkdir -p /lcfs/ftp_stack # yum -c yum.conf --installroot=/lcfs/ftp_stack > install vsftpd # ip netns exec minimal chroot /lcfs/ftp_stack /bin/bash (in the container) # /sbin/vsftpd
DEMO: splitting a container image into layers with aufs
Container Layers With aufs # mkdir -p /lcfs/base_stack # yum -c yum.conf > --installroot=/lcfs/base_stack install basesystem # cp yum.conf /lcfs/base_stack/etc/ # rm /lcfs/base_stack/etc/yum.repos.d/*repo # mkdir /lcfs/{app_stack,tmp_stack} # mount -t aufs -obr=/lcfs/app_stack:/lcfs/base_stack none > /lcfs/tmp_stack # yum --installroot=/lcfs/tmp_stack install vsftpd
DEMO: install a full os with yum
Install A Full OS With yum # mkdir -p /lcfs/centos-rootfs # yum -c yum.conf --installroot=/lcfs/centos-rootfs > groupinstall core # chroot /lcfs/centos-rootfs # passwd (set a new password) # vi /etc/pam.d/session (comment these out lines) session required pam_selinux.so close session required pam_loginuid.so session required pam_selinux.so open
Run A Full OS Container # systemd-nspawn --private-network -D/lcfs/centos-rootfs
Linux Containers From Scratch

More Related Content

PDF
Linux Containers From Scratch: Makfile MicroVPS
byjoshuasoundcloud
 
PDF
Linux cgroups and namespaces
byLocaweb
 
PDF
Containers and Namespaces in the Linux Kernel
byOpenVZ
 
PDF
Namespaces and cgroups - the basis of Linux containers
byKernel TLV
 
PDF
Virtualization which isn't: LXC (Linux Containers)
byDobrica Pavlinušić
 
PDF
Containers with systemd-nspawn
byGábor Nyers
 
PPTX
Containers are the future of the Cloud
byPavel Odintsov
 
PPTX
First steps on CentOs7
byMarc Cortinas Val
 
Linux Containers From Scratch: Makfile MicroVPS
byjoshuasoundcloud
 
Linux cgroups and namespaces
byLocaweb
 
Containers and Namespaces in the Linux Kernel
byOpenVZ
 
Namespaces and cgroups - the basis of Linux containers
byKernel TLV
 
Virtualization which isn't: LXC (Linux Containers)
byDobrica Pavlinušić
 
Containers with systemd-nspawn
byGábor Nyers
 
Containers are the future of the Cloud
byPavel Odintsov
 
First steps on CentOs7
byMarc Cortinas Val
 

What's hot

PDF
Advanced Namespaces and cgroups
byKernel TLV
 
PDF
Linux containers-namespaces(Dec 2014)
byRalf Dannert
 
PPTX
Linux container, namespaces & CGroup.
byNeeraj Shrimali
 
PPTX
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
byBoden Russell
 
PDF
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
byJérôme Petazzoni
 
PDF
Docker storage drivers by Jérôme Petazzoni
byDocker, Inc.
 
PDF
Lxc- Introduction
byLuís Eduardo
 
PDF
Lxc- Linux Containers
bysamof76
 
PPTX
Introduction to linux containers
byGoogle
 
PDF
Linuxcon Barcelon 2012: LXC Best Practices
bychristophm
 
PPTX
Linux Kernel Init Process
byKernel TLV
 
PDF
Namespaces in Linux
byLubomir Rintel
 
PPTX
Union FileSystem - A Building Blocks Of a Container
byKnoldus Inc.
 
PDF
Let's Containerize New York with Docker!
byJérôme Petazzoni
 
PDF
Inside Docker for Fedora20/RHEL7
byEtsuji Nakai
 
PPTX
Realizing Linux Containers (LXC)
byBoden Russell
 
PPTX
Linux Container Brief for IEEE WG P2302
byBoden Russell
 
PDF
Cgroup resource mgmt_v1
bysprdd
 
PDF
Effective service and resource management with systemd
byDavid Timothy Strauss
 
PPTX
Lxc – next gen virtualization for cloud intro (cloudexpo)
byBoden Russell
 
Advanced Namespaces and cgroups
byKernel TLV
 
Linux containers-namespaces(Dec 2014)
byRalf Dannert
 
Linux container, namespaces & CGroup.
byNeeraj Shrimali
 
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
byBoden Russell
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
byJérôme Petazzoni
 
Docker storage drivers by Jérôme Petazzoni
byDocker, Inc.
 
Lxc- Introduction
byLuís Eduardo
 
Lxc- Linux Containers
bysamof76
 
Introduction to linux containers
byGoogle
 
Linuxcon Barcelon 2012: LXC Best Practices
bychristophm
 
Linux Kernel Init Process
byKernel TLV
 
Namespaces in Linux
byLubomir Rintel
 
Union FileSystem - A Building Blocks Of a Container
byKnoldus Inc.
 
Let's Containerize New York with Docker!
byJérôme Petazzoni
 
Inside Docker for Fedora20/RHEL7
byEtsuji Nakai
 
Realizing Linux Containers (LXC)
byBoden Russell
 
Linux Container Brief for IEEE WG P2302
byBoden Russell
 
Cgroup resource mgmt_v1
bysprdd
 
Effective service and resource management with systemd
byDavid Timothy Strauss
 
Lxc – next gen virtualization for cloud intro (cloudexpo)
byBoden Russell
 

Viewers also liked

PDF
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
byJérôme Petazzoni
 
PDF
Docker by Example - Basics
byGanesh Samarthyam
 
PDF
Evoluation of Linux Container Virtualization
byImesh Gunaratne
 
PDF
LXC, Docker, security: is it safe to run applications in Linux Containers?
byJérôme Petazzoni
 
PPTX
Docker 101 - Nov 2016
byDocker, Inc.
 
PDF
Docker, Linux Containers (LXC), and security
byJérôme Petazzoni
 
PDF
Chingis Sandanov. Container virtualization
byDrupalSib
 
PDF
A Performance Comparison of Container-based Virtualization Systems for MapRed...
byMarcelo Veiga Neves
 
PDF
2. Vagin. Linux containers. June 01, 2013
byru-fedora-moscow-2013
 
PDF
BKK16-404A PCI Development Meeting
byLinaro
 
PDF
Tackling the Management Challenges of Server Consolidation on Multi-core Systems
byThe Linux Foundation
 
PDF
Kernel Recipes 2016 - Kernel documentation: what we have and where it’s going
byAnne Nicolas
 
PDF
Dulloor xen-summit
byThe Linux Foundation
 
PDF
Specification-Based Test Program Generation for ARM VMSAv8-64 MMUs
byAlexander Kamkin
 
PDF
Reverse engineering for_beginners-en
byAndri Yabu
 
PDF
LXD: The hypervisor that isn't
bytych0
 
PDF
Virtualization overheads
bySandeep Joshi
 
PDF
Docker and friends at Linux Days 2014 in Prague
bytomasbart
 
PDF
Containers in real world презентация
byPavel Odintsov
 
PDF
Linux numa evolution
byLukas Pirl
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
byJérôme Petazzoni
 
Docker by Example - Basics
byGanesh Samarthyam
 
Evoluation of Linux Container Virtualization
byImesh Gunaratne
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
byJérôme Petazzoni
 
Docker 101 - Nov 2016
byDocker, Inc.
 
Docker, Linux Containers (LXC), and security
byJérôme Petazzoni
 
Chingis Sandanov. Container virtualization
byDrupalSib
 
A Performance Comparison of Container-based Virtualization Systems for MapRed...
byMarcelo Veiga Neves
 
2. Vagin. Linux containers. June 01, 2013
byru-fedora-moscow-2013
 
BKK16-404A PCI Development Meeting
byLinaro
 
Tackling the Management Challenges of Server Consolidation on Multi-core Systems
byThe Linux Foundation
 
Kernel Recipes 2016 - Kernel documentation: what we have and where it’s going
byAnne Nicolas
 
Dulloor xen-summit
byThe Linux Foundation
 
Specification-Based Test Program Generation for ARM VMSAv8-64 MMUs
byAlexander Kamkin
 
Reverse engineering for_beginners-en
byAndri Yabu
 
LXD: The hypervisor that isn't
bytych0
 
Virtualization overheads
bySandeep Joshi
 
Docker and friends at Linux Days 2014 in Prague
bytomasbart
 
Containers in real world презентация
byPavel Odintsov
 
Linux numa evolution
byLukas Pirl
 

Similar to Linux Containers From Scratch

PDF
Docking postgres
byrycamor
 
PDF
Docker Introduction + what is new in 0.9
byJérôme Petazzoni
 
PDF
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
byJérôme Petazzoni
 
PDF
Containerization is more than the new Virtualization: enabling separation of ...
byJérôme Petazzoni
 
PDF
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
byYandex
 
PDF
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
bydotCloud
 
PDF
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
byDocker, Inc.
 
PPTX
Introduction to containers
byNitish Jadia
 
PDF
Containerization Is More than the New Virtualization
byC4Media
 
PDF
Introduction to Docker (as presented at December 2013 Global Hackathon)
byJérôme Petazzoni
 
PDF
Docker and Containers for Development and Deployment — SCALE12X
byJérôme Petazzoni
 
PDF
Using Docker with OpenStack - Hands On!
byAdrian Otto
 
PDF
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
bydotCloud
 
PDF
Atmosphere 2016 - Lennart poettering - systemd and Containers
byPROIDEA
 
PDF
GDG Cloud Iasi - Docker For The Busy Developer.pdf
byathlonica
 
PDF
Dockers zero to hero
byNicolas De Loof
 
PDF
Scale11x lxc talk
bydotCloud
 
PDF
App container rkt
byXiaofeng Guo
 
PPTX
Docker SDN (software-defined-networking) JUG
byPiotr Kieszczyński
 
PPTX
A Survey of Container Security in 2016: A Security Update on Container Platforms
bySalman Baset
 
Docking postgres
byrycamor
 
Docker Introduction + what is new in 0.9
byJérôme Petazzoni
 
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
byJérôme Petazzoni
 
Containerization is more than the new Virtualization: enabling separation of ...
byJérôme Petazzoni
 
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
byYandex
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
bydotCloud
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
byDocker, Inc.
 
Introduction to containers
byNitish Jadia
 
Containerization Is More than the New Virtualization
byC4Media
 
Introduction to Docker (as presented at December 2013 Global Hackathon)
byJérôme Petazzoni
 
Docker and Containers for Development and Deployment — SCALE12X
byJérôme Petazzoni
 
Using Docker with OpenStack - Hands On!
byAdrian Otto
 
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
bydotCloud
 
Atmosphere 2016 - Lennart poettering - systemd and Containers
byPROIDEA
 
GDG Cloud Iasi - Docker For The Busy Developer.pdf
byathlonica
 
Dockers zero to hero
byNicolas De Loof
 
Scale11x lxc talk
bydotCloud
 
App container rkt
byXiaofeng Guo
 
Docker SDN (software-defined-networking) JUG
byPiotr Kieszczyński
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
bySalman Baset
 

Recently uploaded

PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PPTX
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
AI Technology important knowledge ......
byutkarshj2007
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
December Patch Tuesday
byIvanti
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
AI Technology important knowledge ......
byutkarshj2007
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 

Linux Containers From Scratch

  • 1.
    Linux Containers FromScratch Joshua Hoffman Velocity Europe 2014
  • 2.
    Recommended mirror: http://ftp.es.debian.org SETUP INSTALL PACKAGES Install packages: ● vim ● screen ● lftp ● busybox-static ● systemd ● yum ● qemu-utils ● aufs-tools ● pbzip2 ● htop
  • 3.
    1. Edit /etc/default/grub change the line: GRUB_CMDLINE_LINUX="" to: GRUB_CMDLINE_LINUX="init=/bin/systemd" 2. Run the grub updater: update-grub2 3. Reboot SETUP CONFIGURE SYSTEMD
  • 4.
    THE CLOUD LINUXCONTAINERS
  • 5.
    THE CLOUD LINUXCONTAINERS FREE LUNCH
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
    A logically isolatedvirtual environment. A Linux Container
  • 12.
  • 13.
  • 14.
    Running in aVirtual Machine as viewed from the host os # ps x PID TTY STAT TIME COMMAND 689 ? R 1:06 qemu-kvm
  • 15.
    Running in aLinux Container as viewed from the host os # ps x PID TTY STAT TIME COMMAND 5347 ? R 2:22 unicorn_rails master -D -c kiffen.rb
  • 16.
  • 17.
  • 18.
    NETWORK NAMESPACE asviewed from iproute2 $ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP qlen 1000 link/ether 00:01:2e:3b:be:14 brd ff:ff:ff:ff:ff:ff inet 10.21.0.22/24 brd 10.21.0.255 scope global br0 inet6 fe80::201:2eff:fe3b:be14/64 scope link valid_lft forever preferred_lft forever
  • 19.
  • 20.
    MOUNT NAMESPACE asviewed from ls $ ls / bin etc lib media proc sbin sys var boot home lib64 mnt root selinux tmp dev lost+found opt run srv usr
  • 21.
  • 22.
    PID NAMESPACE asviewed from ps # ps x PID TTY STAT TIME COMMAND 5347 ? R 2:22 unicorn_rails master -D -c kiffen.rb
  • 23.
  • 24.
    CGROUPS as viewedfrom ls # ls -F /sys/fs/cgroup/ blkio/ cpu@ cpuacct@ cpu,cpuacct/ cpuset/ devices/ freezer/ net_cls/ perf_event/ systemd/ # ls -F /sys/fs/cgroup/cpuset cpuset.mem_exclusive cgroup.procs cpuset.memory_migrate cpuset.mems cpuset.cpu_exclusive tasks cpuset.cpus (...output truncated…)
  • 25.
  • 26.
    Minimal Busybox Container # mkdir -p {minimal,minimal/usr}/{bin,sbin,etc} # for x in $(busybox --list-full); do > ln -s /bin/sh minimal/$x; done # cp -f /bin/busybox minimal/bin/sh # touch minimal/etc/os-release
  • 27.
    Running The Container Private mount namespace: # chroot minimal /bin/sh Private mount and pid namespace # systemd-nspawn -Dminimal /bin/sh Private mount, pid, and network namespace # systemd-nspawn --private-network -Dminimal /bin/sh
  • 28.
    DEMO: building acontainer image with cpio
  • 29.
    Build A ContainerImage With cpio # find minimal -print | cpio -o | > pbzip2 -c > minimal.cpio.bz2 # ls -lh minimal.cpio.bz2 -rw-r--r-- 1 root root 852K Nov 18 12:48 minimal.cpio.bz2
  • 30.
    DEMO: limiting cpuaccess with cgroups
  • 31.
    Limiting CPU AccessWith cgroups # dd if=/dev/urandom of=datafile bs=1M count=100 # time pbzip2 -k -9 datafile # mkdir /sys/fs/cgroup/cpuset/my_cpuset # echo 0 > /sys/fs/cgroup/cpuset/my_cpuset/cpuset.cpus # echo 0 > /sys/fs/cgroup/cpuset/my_cpuset/cpuset.mems # echo $$ > /sys/fs/cgroup/cpuset/my_cpuset/tasks # time pbzip2 -k -9 datafile
  • 32.
    DEMO: connect acontainer to the network
  • 33.
    Connect The NetworkWith iproute2 # ip netns add minimal # ip link add eth1 type veth peer name veth1 # ip link set eth1 netns minimal # ip a add 10.0.0.1/24 dev veth1 # ip l set veth1 up # ip netns exec minimal chroot minimal /bin/sh (in the container) # ip a add 10.0.0.2/24 dev eth1 # ip l set eth1 up
  • 34.
    DEMO: installing aservice stack with yum
  • 35.
    SETUP CONFIGURE YUM Create a file called yum.conf with the following contents: [main] cachedir=/var/cache/yum keepcache=1 debuglevel=2 logfile=/var/log/yum.log exactarch=1 obsoletes=1 [base] name=CentOS-7 - Base #mirrorlist=http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os baseurl=http://192.168.56.1/centos/ gpgcheck=0 enabled=1
  • 36.
    Install A ServiceStack With yum # mkdir -p /lcfs/ftp_stack # yum -c yum.conf --installroot=/lcfs/ftp_stack > install vsftpd # ip netns exec minimal chroot /lcfs/ftp_stack /bin/bash (in the container) # /sbin/vsftpd
  • 37.
    DEMO: splitting acontainer image into layers with aufs
  • 38.
    Container Layers Withaufs # mkdir -p /lcfs/base_stack # yum -c yum.conf > --installroot=/lcfs/base_stack install basesystem # cp yum.conf /lcfs/base_stack/etc/ # rm /lcfs/base_stack/etc/yum.repos.d/*repo # mkdir /lcfs/{app_stack,tmp_stack} # mount -t aufs -obr=/lcfs/app_stack:/lcfs/base_stack none > /lcfs/tmp_stack # yum --installroot=/lcfs/tmp_stack install vsftpd
  • 39.
    DEMO: install afull os with yum
  • 40.
    Install A FullOS With yum # mkdir -p /lcfs/centos-rootfs # yum -c yum.conf --installroot=/lcfs/centos-rootfs > groupinstall core # chroot /lcfs/centos-rootfs # passwd (set a new password) # vi /etc/pam.d/session (comment these out lines) session required pam_selinux.so close session required pam_loginuid.so session required pam_selinux.so open
  • 41.
    Run A FullOS Container # systemd-nspawn --private-network -D/lcfs/centos-rootfs