SlideShare a Scribd company logo

Containers: What are they, Really?

Sneha Inguva, profile picture
Sneha Inguva

The document discusses containerization using Docker. It begins with an overview of Docker commands to run containers with increasing levels of isolation for hostname, process ID, and filesystem/mounting. It then demonstrates how to execute commands in a container using Linux namespaces to isolate processes and filesystems. The document aims to show how Docker containers can isolate and sandbox processes running on a machine.

Software
1 of 34
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Containers: What are they, Really?
Containers: What are they, Really?
Containers: What are they, Really?
Containers: What are they, Really?
● ● ●
Containers: What are they, Really?
Containers: What are they, Really?
+ run input commands with arguments ++ add hostname limitations +++ add process ID limitations ++++ add mount/filesystem limitations
func main() { switch os.Args[1] { case "run": run() default: panic("what?") } } func run() { fmt.Printf("running %vn", os.Args[2:]) cmd := exec.Command(os.Args[2], os.Args[3:]...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout must(cmd.Run()) } func must(err error) { if err != nil { panic(err) } } ---- take inputs and executes them ---- panics with non-”run” command
🎉 And it successfully echoes “Hello”!
----- opens shell to “container process” ------ can check hostname ------ can CHANGE hostname!!!
Containers: What are they, Really?
Containers: What are they, Really?
func run() { fmt.Pintf("running %vn", os.Args[2:]) cmd := exec.Command(os.Args[2], os.Args[3:]...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout cmd.SysProcAttr = &syscall.SysProcAttr{ Cloneflags: syscall.CLONE_NEWUTS, } must(cmd.Run()) } cmd will be executed with linux flag for calling a child process, which runs in a new UTS namespace
can see all processes on the host machine
func run() { fmt.Printf("running %vn", os.Args[2:]) cmd := exec.Command(os.Args[2], os.Args[3:]...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout cmd.SysProcAttr = &syscall.SysProcAttr{ Cloneflags: syscall.CLONE_NEWUTS | syscall.CLONE_NEWPID, } must(cmd.Run()) } why can we still the parent namespace? ----- execute cmd in new PID and new UTS namespace
func run() { cmd := exec.Command("/proc/self/exe", append([]string{"child"}, os.Args[2:]...)...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout cmd.SysProcAttr = &syscall.SysProcAttr{ Cloneflags: syscall.CLONE_NEWUTS | syscall.CLONE_NEWPID, } must(cmd.Run()) } func child() { fmt.Printf("running %v as pid %vn", os.Args[2:], os.Getpid()) cmd := exec.Command(os.Args[2], os.Args[3:]...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout must(cmd.Run()) } ----- let’s try this again but fork off a child process
----- child process has a PID of one! can still see processes on host machine ‘ps’ is looking in the /proc directory
func run() { md := exec.Command("/proc/self/exe", append([]string{"child"}, os.Args[2:]...)...) // link to currently running process cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout cmd.SysProcAttr = &syscall.SysProcAttr{ Cloneflags: syscall.CLONE_NEWUTS | syscall.CLONE_NEWPID | syscall.CLONE_NEWNS, } must(cmd.Run()) } ------ NEWNS flag for mount namespace is creating a “mount table” for the process, allowing it to have it’s own filesystem
Containers: What are they, Really?
func child() { fmt.Printf("running %v as pid%vn", os.Args[2:], os.Getpid()) cmd := exec.Command(os.Args[2], os.Args[3:]...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout must(syscall.Chroot("/home/rootfs")) must(os.Chdir("/")) must(syscall.Mount("proc", "proc", "proc", 0, "")) must(cmd.Run()) } TODO Need a new root filsystem w/ empty /proc directory
Containers: What are they, Really?
● ✔ ● ✔ ● ● ✔ ● ●
● ● ● ●
● ● ●
● ● ●
Source: https://docs.docker.com/engine/understanding-docker/ https://coreos.com/rkt/docs/latest/rkt-vs-other-projects.html#rkt-vs-docker
docker ecosystem
Source: https://github.com/nkhare/container-orchestration/blob/master/kubernetes/README.md
GKE DigitalOcean k8s
CNCF (cloud native computing foundation)
Questions?
● ● , Julien Friedman ● My demo code - @si74 on github ● An overview of the docker ecosystem
Containers: What are they, Really?

More Related Content

PDF
Networking and Go: An Engineer's Journey (Strangeloop 2019)
Sneha Inguva
 
PDF
What Have Syscalls Done for you Lately?
Docker, Inc.
 
PDF
Containers: The What, Why, and How
Sneha Inguva
 
PDF
Docker / Ansible
Stephane Manciot
 
PDF
Declare your infrastructure: InfraKit, LinuxKit and Moby
Moby Project
 
PDF
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
Омские ИТ-субботники
 
PPTX
Practical Glusto Example
Gluster.org
 
PPTX
Container & kubernetes
Ted Jung
 
Networking and Go: An Engineer's Journey (Strangeloop 2019)
Sneha Inguva
 
What Have Syscalls Done for you Lately?
Docker, Inc.
 
Containers: The What, Why, and How
Sneha Inguva
 
Docker / Ansible
Stephane Manciot
 
Declare your infrastructure: InfraKit, LinuxKit and Moby
Moby Project
 
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
Омские ИТ-субботники
 
Practical Glusto Example
Gluster.org
 
Container & kubernetes
Ted Jung
 

What's hot (20)

PDF
Object Storage with Gluster
Gluster.org
 
PDF
Small, Simple, and Secure: Alpine Linux under the Microscope
Docker, Inc.
 
PDF
CoreOS intro
Timo Derstappen
 
PDF
How and Why Prometheus' New Storage Engine Pushes the Limits of Time Series D...
Docker, Inc.
 
PDF
Devinsampa nginx-scripting
Tony Fabeen
 
PPTX
Ansible as a better shell script
Takuya Nishimoto
 
PDF
Docker n co
Rohit Jnagal
 
PDF
Monitoring with Syslog and EventMachine
Wooga
 
PDF
Node.js - A Quick Tour
Felix Geisendörfer
 
PDF
Docker and friends at Linux Days 2014 in Prague
tomasbart
 
ODP
nginx: writing your first module
redivy
 
ODP
Testing Wi-Fi with OSS Tools
All Things Open
 
PDF
CoreOS Overview
Victor S. Recio
 
PDF
Who is afraid of privileged containers ?
Marko Bevc
 
PPTX
Git/Github/Bitbucket@TalkIt. Humber college.
Andrew Romanenco
 
PPTX
Native Containers on Windows 10 & Windows Server 2016 using Docker
Jorge Arteiro
 
PDF
Kubernetes in 20 minutes - HDE Monthly Technical Session 24
lestrrat
 
PPTX
Container Torture: Run any binary, in any container
Docker, Inc.
 
PPTX
Lessons from running potentially malicious code inside containers
Ben Hall
 
PDF
Docker command
Eric Ahn
 
Object Storage with Gluster
Gluster.org
 
Small, Simple, and Secure: Alpine Linux under the Microscope
Docker, Inc.
 
CoreOS intro
Timo Derstappen
 
How and Why Prometheus' New Storage Engine Pushes the Limits of Time Series D...
Docker, Inc.
 
Devinsampa nginx-scripting
Tony Fabeen
 
Ansible as a better shell script
Takuya Nishimoto
 
Docker n co
Rohit Jnagal
 
Monitoring with Syslog and EventMachine
Wooga
 
Node.js - A Quick Tour
Felix Geisendörfer
 
Docker and friends at Linux Days 2014 in Prague
tomasbart
 
nginx: writing your first module
redivy
 
Testing Wi-Fi with OSS Tools
All Things Open
 
CoreOS Overview
Victor S. Recio
 
Who is afraid of privileged containers ?
Marko Bevc
 
Git/Github/Bitbucket@TalkIt. Humber college.
Andrew Romanenco
 
Native Containers on Windows 10 & Windows Server 2016 using Docker
Jorge Arteiro
 
Kubernetes in 20 minutes - HDE Monthly Technical Session 24
lestrrat
 
Container Torture: Run any binary, in any container
Docker, Inc.
 
Lessons from running potentially malicious code inside containers
Ben Hall
 
Docker command
Eric Ahn
 
Ad

Similar to Containers: What are they, Really? (20)

PDF
Linux Programming
Emertxe Information Technologies Pvt Ltd
 
PPTX
04_ForkPipe.pptx
vnwzympx
 
PDF
Ipc
vivekprasad229
 
PDF
Process management
Akshay Ithape
 
PDF
Systems Programming Assignment Help - Processes
HelpWithAssignment.com
 
PPT
process creation OS
Kiran Kumar Thota
 
PPTX
Zurg part 1
Shuo Chen
 
PPTX
Linux container internals
Ashwin Bilgi
 
DOCX
httplinux.die.netman3execfork() creates a new process by.docx
adampcarr67227
 
PDF
Os lab final
LakshmiSarvani6
 
PPTX
Unix-module4.Unit 2 Virtualization Part I.pptx
ssuser8594b8
 
PDF
Tested on ubuntu,Linux#include stdio.h #include string.h.pdf
aquacare2008
 
PPTX
Linux Systems Programming: Process CommunCh11 Processes and Signals
RashidFaridChishti
 
DOCX
LP-Unit3.docx
SeetharamNageshAppe1
 
PDF
TDC2017 | São Paulo - Trilha Containers How we figured out we had a SRE team ...
tdc-globalcode
 
PPTX
UNIX_Process Control_Module3.pptx
raunakkumar290158
 
PPTX
Process management
Utkarsh Kulshrestha
 
PDF
MyShell - English
Johnnatan Messias
 
PDF
System calls
AfshanKhan51
 
DOCX
Write a C program called pross-c to implement the UNIX-Linux equivalen.docx
SUKHI5
 
Linux Programming
Emertxe Information Technologies Pvt Ltd
 
04_ForkPipe.pptx
vnwzympx
 
Ipc
vivekprasad229
 
Process management
Akshay Ithape
 
Systems Programming Assignment Help - Processes
HelpWithAssignment.com
 
process creation OS
Kiran Kumar Thota
 
Zurg part 1
Shuo Chen
 
Linux container internals
Ashwin Bilgi
 
httplinux.die.netman3execfork() creates a new process by.docx
adampcarr67227
 
Os lab final
LakshmiSarvani6
 
Unix-module4.Unit 2 Virtualization Part I.pptx
ssuser8594b8
 
Tested on ubuntu,Linux#include stdio.h #include string.h.pdf
aquacare2008
 
Linux Systems Programming: Process CommunCh11 Processes and Signals
RashidFaridChishti
 
LP-Unit3.docx
SeetharamNageshAppe1
 
TDC2017 | São Paulo - Trilha Containers How we figured out we had a SRE team ...
tdc-globalcode
 
UNIX_Process Control_Module3.pptx
raunakkumar290158
 
Process management
Utkarsh Kulshrestha
 
MyShell - English
Johnnatan Messias
 
System calls
AfshanKhan51
 
Write a C program called pross-c to implement the UNIX-Linux equivalen.docx
SUKHI5
 
Ad

More from Sneha Inguva (8)

PDF
Handy Networking Tools and How to Use Them
Sneha Inguva
 
PDF
MicroCPH: Observability and Product Release
Sneha Inguva
 
PDF
[Power To Fly Webinar] Observability at a Cloud Provider
Sneha Inguva
 
PDF
Networking and Go: An Epic Journey
Sneha Inguva
 
PDF
observability pre-release: using prometheus to test and fix new software
Sneha Inguva
 
PDF
Observability and Product Release
Sneha Inguva
 
PDF
Prometheus Everything, Observing Kubernetes in the Cloud
Sneha Inguva
 
PDF
Observability in a Dynamically Scheduled World
Sneha Inguva
 
Handy Networking Tools and How to Use Them
Sneha Inguva
 
MicroCPH: Observability and Product Release
Sneha Inguva
 
[Power To Fly Webinar] Observability at a Cloud Provider
Sneha Inguva
 
Networking and Go: An Epic Journey
Sneha Inguva
 
observability pre-release: using prometheus to test and fix new software
Sneha Inguva
 
Observability and Product Release
Sneha Inguva
 
Prometheus Everything, Observing Kubernetes in the Cloud
Sneha Inguva
 
Observability in a Dynamically Scheduled World
Sneha Inguva
 

Recently uploaded (20)

PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PPTX
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
PPTX
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PPTX
ManageIQ - Sprint 268 Review - Slide Deck
ManageIQ
 
PPTX
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PPT
Introduction Database Management System for Course Database
ReinertYosua
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
ManageIQ - Sprint 268 Review - Slide Deck
ManageIQ
 
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
Transform Your Business with a Software ERP System
Canada Software Company
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
Introduction Database Management System for Course Database
ReinertYosua
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
Introduction to Artificial Intelligence
lohedi9363
 

Containers: What are they, Really?

  • 8. + run input commands with arguments ++ add hostname limitations +++ add process ID limitations ++++ add mount/filesystem limitations
  • 9. func main() { switch os.Args[1] { case "run": run() default: panic("what?") } } func run() { fmt.Printf("running %vn", os.Args[2:]) cmd := exec.Command(os.Args[2], os.Args[3:]...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout must(cmd.Run()) } func must(err error) { if err != nil { panic(err) } } ---- take inputs and executes them ---- panics with non-”run” command
  • 10. 🎉 And it successfully echoes “Hello”!
  • 11. ----- opens shell to “container process” ------ can check hostname ------ can CHANGE hostname!!!
  • 14. func run() { fmt.Pintf("running %vn", os.Args[2:]) cmd := exec.Command(os.Args[2], os.Args[3:]...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout cmd.SysProcAttr = &syscall.SysProcAttr{ Cloneflags: syscall.CLONE_NEWUTS, } must(cmd.Run()) } cmd will be executed with linux flag for calling a child process, which runs in a new UTS namespace
  • 15. can see all processes on the host machine
  • 16. func run() { fmt.Printf("running %vn", os.Args[2:]) cmd := exec.Command(os.Args[2], os.Args[3:]...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout cmd.SysProcAttr = &syscall.SysProcAttr{ Cloneflags: syscall.CLONE_NEWUTS | syscall.CLONE_NEWPID, } must(cmd.Run()) } why can we still the parent namespace? ----- execute cmd in new PID and new UTS namespace
  • 17. func run() { cmd := exec.Command("/proc/self/exe", append([]string{"child"}, os.Args[2:]...)...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout cmd.SysProcAttr = &syscall.SysProcAttr{ Cloneflags: syscall.CLONE_NEWUTS | syscall.CLONE_NEWPID, } must(cmd.Run()) } func child() { fmt.Printf("running %v as pid %vn", os.Args[2:], os.Getpid()) cmd := exec.Command(os.Args[2], os.Args[3:]...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout must(cmd.Run()) } ----- let’s try this again but fork off a child process
  • 18. ----- child process has a PID of one! can still see processes on host machine ‘ps’ is looking in the /proc directory
  • 19. func run() { md := exec.Command("/proc/self/exe", append([]string{"child"}, os.Args[2:]...)...) // link to currently running process cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout cmd.SysProcAttr = &syscall.SysProcAttr{ Cloneflags: syscall.CLONE_NEWUTS | syscall.CLONE_NEWPID | syscall.CLONE_NEWNS, } must(cmd.Run()) } ------ NEWNS flag for mount namespace is creating a “mount table” for the process, allowing it to have it’s own filesystem
  • 21. func child() { fmt.Printf("running %v as pid%vn", os.Args[2:], os.Getpid()) cmd := exec.Command(os.Args[2], os.Args[3:]...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout must(syscall.Chroot("/home/rootfs")) must(os.Chdir("/")) must(syscall.Mount("proc", "proc", "proc", 0, "")) must(cmd.Run()) } TODO Need a new root filsystem w/ empty /proc directory
  • 23. ● ✔ ● ✔ ● ● ✔ ● ●
  • 31. CNCF (cloud native computing foundation)
  • 33. ● ● , Julien Friedman ● My demo code - @si74 on github ● An overview of the docker ecosystem