the code for my website (https://www.annwan.me)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

70 lines
3.4 KiB

9 months ago
9 months ago
9 months ago
  1. ---
  2. title: The What, Why and How of Containers
  3. date: 2024-03-24
  4. slug: what-why-how-containers
  5. ---
  6. Alternate title: *An history of OS-Level Virtualisation on UNIX and then Linux*.
  7. This post is part of an entry for [the Handmade Network's Learning Jam 2024](https://handmade.network/jam/learning-2024)
  8. ## The problem
  9. {{< art-img "images/comic_1.png" >}}
  10. ## It all starts with `chroot` *(UNIX, 1982)*
  11. ```
  12. $ apropos chroot
  13. chroot (1) - run command or interactive shell with special root directory
  14. chroot (2) - change root directory
  15. ```
  16. Chroot is a kernel mechanism available since early versions of UNIX that allows to run a process as with an alternate root directory. The process shares the kernel and hardware, but only has access to a subtree of the file system.
  17. {{< art-img "images/comic_2.png" >}}
  18. ## Jails on Free BSD *(FreeBSD, 2000)*
  19. FreeBSD jails basically take chroot and build upon it by adding mechanism to isolate and control the use of other system resources beside the filesystem.
  20. The end result is a kernel mechanism that is a complete container implementation:
  21. - Fully (More or less, depending onthe exact configuration of the jail) isolated userspace
  22. - Running on the same kernel as the host
  23. {{< art-img "images/comic_3.png" >}}
  24. ## Quick tangent: Control Groups (cgroups) *(Linux, 2007, major update in 2016)*
  25. Control groups are a mechanism in Linux that allows to control which how much of the system resources a process (and it's child processes) can use. It wasn't originally meant for virtualisation, but rather as a system to avoid processes fighting over hardware, and to implement quotas. It however turned out to be very useful when it came to implement containers.
  26. ## Namespaces *(Linux, starting 2002)*
  27. Namespaces allow to isolate processes within the namespace from the rest with regard to a specific global resource such as mount points, process ids, user ids, interprocess communication, networking or time.
  28. But more crucially they also allow to isolate across cgroups, giving the illusion of being alone on the system.
  29. ## How to make a linux container
  30. With those mechanisms (chroot, cgroups and namespaces) in place creating a container is conceptually relatively simple:
  31. - First you populate the subtree that your container will have access too, ready to be chroot'ed in
  32. - Then you create namespaces for all you need to isolate (this usually includes at least PID, UID, mountpoints and cgroups)
  33. - Finally you run your containerized process within your namespaces, chroot'ed to its subtree
  34. ## Conclusion
  35. {{<art-img "images/comic_end.png">}}
  36. In practice you don't need to make them from scratch, people already have made systems for managing containers with nicer user interfaces. Those include Docker, LXC and systemd-nspawn just to name a few, and there is probably one just right for your use-case.
  37. ## Sources
  38. - Linux manual pages:
  39. - [chroot(1)](https://man7.org/linux/man-pages/man1/chroot.1.html)
  40. - [chroot(2)](https://man7.org/linux/man-pages/man2/chroot.2.html)
  41. - [cgroups(7)](https://man7.org/linux/man-pages/man7/cgroups.7.html)
  42. - [namespaces(7)](https://man7.org/linux/man-pages/man7/namespaces.7.html)
  43. - [Free BSD Handbook: Chapter 17. Jails and Containers](https://docs.freebsd.org/en/books/handbook/jails/)
  44. - [Linux kernel documentation: Control group v2](https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html)
  45. - Comic bits inspired by the awesome [XKCD](https://xkcd.com)