Containerization

Often seen as na advancement from chroot technique. For given process and its children chroot creates the filesystem 'isolation' only.

Containers provide more: process resources are isolated via kernel namespaces and resource usage is controlled via cgroups.
Both the host and container share the same kernel.
The "container" is not a in-kernel term. The closest definition: namespaces + cgroups = containers.

Concepts

Following linux kernel concepts are the building blocks of containers

Namespaces

Wrapper over global system resources.
For all processes within the namespace makes the system resources appear like isolated (dedicated) instance.
Changes to the global resource are visible to other processes that are members of the namespace, but are invisible to other processes.

By default linux provides following namespaces

namespace	isolates
`Cgroup`	Cgroup root directory. Processes inside this namespace are only able to view paths relative to their namespace root
`IPC`	System V IPC, POSIX message queues
`Network`	Network devices, ports, etc.
`Mount`	Mount points
`PID`	Process IDs
`User`	User and group IDs
`UTS`	Hostname and NIS domain

Each namespace is assigned unique inode number:

> ls /proc/7320/ns -al
dr-x--x--x 2 thedude thedude 0 May 20 20:19 .
dr-xr-xr-x 9 thedude thedude 0 May 20 19:29 ..
lrwxrwxrwx 1 thedude thedude 0 May 20 20:19 cgroup -> cgroup:[4076531835]
lrwxrwxrwx 1 thedude thedude 0 May 20 20:19 ipc -> ipc:[4026537839]
lrwxrwxrwx 1 thedude thedude 0 May 20 20:19 mnt -> mnt:[4026537840]
lrwxrwxrwx 1 thedude thedude 0 May 20 20:19 net -> net:[4026537969]
lrwxrwxrwx 1 thedude thedude 0 May 20 20:19 pid -> pid:[4026537836]
lrwxrwxrwx 1 thedude thedude 0 May 20 20:19 user -> user:[4026731837]
lrwxrwxrwx 1 thedude thedude 0 May 20 20:19 uts -> uts:[4026571838]

userspace tools

lsns

Control groups

Usually referred as cgroups. Linux feature that organises processes into hierarchical groups whose usage of various types of resources can be limited and monitored

Union file systems

TODO

Benefits

faster than full VM (doesn't require running hypervisor)
easier to provision (doesn't require full VM setup)
cheaper
better resource utilization
easier to scale

Solutions

Docker
LXC

References

Modern Linux Administration - Sam R. Alapati

General
OS
- Fundamentals
  - Memory
  - Kernel
- init
- Packages
- Crypto
- File systems
  - BTRFS
  - CIFS
  - SSHFS
- unattended installation
Networks
- Configuration
- Protocols
  - SSH
  - SSL
- Link layer
- Sockets
- Routing
- Tunneling
  - IPsec
- Debugging
- LoRa
Virtualization
- VM
  - KVM
  - Virtualbox
  - VFIO
- Lightweight VM
  - Docker
  - LXC
Infrastructure as a code
- Foreman
- Salt
  - Configuration
  - Minions
  - Master
  - Transport
  - Scripts
  - Modules
    - Events and Reactor
  - SSH
- Kubernetes
  - PODs
  - Service
  - Volumes
  - Controllers
  - Admin
- Helm
- Vagrant
Desktop environments
- KDE
Monitoring
- Benchmarking
  - IO

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Containerization

Containerization

Concepts

Namespaces

userspace tools

Control groups

Union file systems

Benefits

Solutions

References

Clone this wiki locally