|
|
|
@ -0,0 +1,70 @@ |
|
|
|
--- |
|
|
|
title: The What, Why and How of Containers |
|
|
|
date: 2024-03-24 |
|
|
|
slug: what-why-how-containers |
|
|
|
--- |
|
|
|
|
|
|
|
Alternate title: *An history of OS-Level Virtualisation on UNIX and then Linux*. |
|
|
|
|
|
|
|
This post is part of an entry for [the Handmade Network's Learning Jam 2024](https://handmade.network/jam/learning-2024) |
|
|
|
|
|
|
|
## The problem |
|
|
|
|
|
|
|
{{< art-img "images/comic_1.png" >}} |
|
|
|
|
|
|
|
## It all starts with `chroot` *(UNIX, 1982)* |
|
|
|
|
|
|
|
``` |
|
|
|
$ apropos chroot |
|
|
|
chroot (1) - run command or interactive shell with special root directory |
|
|
|
chroot (2) - change root directory |
|
|
|
``` |
|
|
|
|
|
|
|
Chroot is a kernel mechanism available since early versions of UNIX that allows to run a process as with an alternate root directory. The process shares the kernel and hardware, but only has access to a subtree of the file system. |
|
|
|
|
|
|
|
{{< art-img "images/comic_2.png" >}} |
|
|
|
|
|
|
|
## Jails on Free BSD *(FreeBSD, 2000)* |
|
|
|
|
|
|
|
FreeBSD jails basically take chroot and build upon it by adding mechanism to isolate and control the use of other system resources beside the filesystem. |
|
|
|
|
|
|
|
The end result is a kernel mechanism that is a complete container implementation: |
|
|
|
- Fully (More or less, depending onthe exact configuration of the jail) isolated userspace |
|
|
|
- Running on the same kernel as the host |
|
|
|
|
|
|
|
{{< art-img "images/comic_3.png" >}} |
|
|
|
|
|
|
|
## Quick tangent: Control Groups (cgroups) *(Linux, 2007, major update in 2016)* |
|
|
|
|
|
|
|
Control groups are a mechanism in Linux that allows to control which how much of the system resources a process (and it's child processes) can use. It wasn't originally meant for virtualisation, but rather as a system to avoid processes fighting over hardware, and to implement quotas. It however turned out to be very useful when it came to implement containers. |
|
|
|
|
|
|
|
## Namespaces *(Linux, starting 2002)* |
|
|
|
|
|
|
|
Namespaces allow to isolate processes within the namespace from the rest with regard to a specific global resource such as mount points, process ids, user ids, interprocess communication, networking or time. |
|
|
|
|
|
|
|
But more crucially they also allow to isolate across cgroups, giving the illusion of being alone on the system. |
|
|
|
|
|
|
|
## How to make a linux container |
|
|
|
|
|
|
|
With those mechanisms (chroot, cgroups and namespaces) in place creating a container is conceptually relatively simple: |
|
|
|
|
|
|
|
- First you populate the subtree that your container will have access too, ready to be chroot-ed in |
|
|
|
- Then you create namespaces for all you need to isolate (this usually includes at least PID, UID, mountpoints and cgroups) |
|
|
|
- Finally you run your containerized process within your namespaces, chroot'ed to it's subtree |
|
|
|
|
|
|
|
## Conclusion |
|
|
|
|
|
|
|
{{<art-img "images/comic_end.png">}} |
|
|
|
|
|
|
|
In practice you don't need to make them from scratch, people already have made systems for managing containers with nicer user interfaces those include Docker, LXC and systemd-nspawn just to name a few, and there is probably one just right for your use-case. |
|
|
|
|
|
|
|
## Sources |
|
|
|
|
|
|
|
- Linux manual pages: |
|
|
|
- [chroot(1)](https://man7.org/linux/man-pages/man1/chroot.1.html) |
|
|
|
- [chroot(2)](https://man7.org/linux/man-pages/man2/chroot.2.html) |
|
|
|
- [cgroups(7)](https://man7.org/linux/man-pages/man7/cgroups.7.html) |
|
|
|
- [namespaces(7)](https://man7.org/linux/man-pages/man7/namespaces.7.html) |
|
|
|
- [Free BSD Handbook: Chapter 17. Jails and Containers](https://docs.freebsd.org/en/books/handbook/jails/) |
|
|
|
- [Linux kernel documentation: Control group v2](https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html) |
|
|
|
- Comic bits inspired by the awesome [XKCD](https://xkcd.com) |
