itnew post: hand-crafted containers [WIP] - monochromatic - monochromatic blog: http://blog.z3bra.org Err z3bra.org 70 hgit clone git://z3bra.org/monochromatic URL:git://z3bra.org/monochromatic z3bra.org 70 1Log /scm/monochromatic/log.gph z3bra.org 70 1Files /scm/monochromatic/files.gph z3bra.org 70 1Refs /scm/monochromatic/refs.gph z3bra.org 70 i--- Err z3bra.org 70 1commit 076c73eb2cf52b5b1fdac70165a64c1566c4b053 /scm/monochromatic/commit/076c73eb2cf52b5b1fdac70165a64c1566c4b053.gph z3bra.org 70 1parent a26a56e2b2b6ce9160eea02f98e29b3800e31da1 /scm/monochromatic/commit/a26a56e2b2b6ce9160eea02f98e29b3800e31da1.gph z3bra.org 70 hAuthor: z3bra URL:mailto:willyatmailoodotorg z3bra.org 70 iDate: Tue, 22 Mar 2016 23:44:28 +0100 Err z3bra.org 70 i Err z3bra.org 70 inew post: hand-crafted containers [WIP] Err z3bra.org 70 i Err z3bra.org 70 iDiffstat: Err z3bra.org 70 i A 2016/03/hand-crafted-containers.txt | 75 +++++++++++++++++++++++++++++++ Err z3bra.org 70 i M Makefile | 1 + Err z3bra.org 70 i M config.mk | 5 +++-- Err z3bra.org 70 i Err z3bra.org 70 i3 files changed, 79 insertions(+), 2 deletions(-) Err z3bra.org 70 i--- Err z3bra.org 70 1diff --git a/2016/03/hand-crafted-containers.txt b/2016/03/hand-crafted-containers.txt /scm/monochromatic/file/2016/03/hand-crafted-containers.txt.gph z3bra.org 70 it@@ -0,0 +1,75 @@ Err z3bra.org 70 i+# [Hand-made containers](#) Err z3bra.org 70 i+## — 18 March, 2016 Err z3bra.org 70 i+ Err z3bra.org 70 i+### 0. intro Err z3bra.org 70 i+ Err z3bra.org 70 i+Containers are the latest trend, for a good reason: they leave room for new Err z3bra.org 70 i+ideas in terms of security, flexibility, performance and much more. Err z3bra.org 70 i+ Err z3bra.org 70 i+But what are containers? It is a group of processes isolated together from the Err z3bra.org 70 i+host operating system. This isolation can happen in different places Err z3bra.org 70 i+(namespaces), be it in the network, the filesystem, the process tree, or all of Err z3bra.org 70 i+them (there are more, in fact. More on this later). Err z3bra.org 70 i+ Err z3bra.org 70 i+We can differenciate three types of containers: Err z3bra.org 70 i+ Err z3bra.org 70 i++ operating system containers Err z3bra.org 70 i++ application containers Err z3bra.org 70 i++ I LIED! Err z3bra.org 70 i+ Err z3bra.org 70 i+If we think about it, an operating system is a process `/sbin/init` that will Err z3bra.org 70 i+spawn other subprocesses. This way, an operating system is nothing more than Err z3bra.org 70 i+an application (a complex one). In this regard, there is only a single type of Err z3bra.org 70 i+containers. Err z3bra.org 70 i+We can now focus on what's really important, how do they work? Err z3bra.org 70 i+ Err z3bra.org 70 i+### 1. namespaces Err z3bra.org 70 i+ Err z3bra.org 70 i+That's a keyword, so let's ask our internet god what it means: Err z3bra.org 70 i+ Err z3bra.org 70 i+> In computing, a namespace is a set of symbols that are used to organize Err z3bra.org 70 i+> objects of various kinds, so that these objects may be referred to by name. Err z3bra.org 70 i+> Err z3bra.org 70 i+> -- sincerely, [wikipedia](https://en.wikipedia.org/wiki/Namespace) Err z3bra.org 70 i+ Err z3bra.org 70 i+In other words, a namespace is a way to refer to one or more isolations applied Err z3bra.org 70 i+to a process. Err z3bra.org 70 i+When a namespace is created for a process, all its children will be created Err z3bra.org 70 i+within this namespace, and inherit the "limitations" of the parent. Err z3bra.org 70 i+ Err z3bra.org 70 i+#### mount Err z3bra.org 70 i+The process will be able to mount and unmount filesystems without affecting Err z3bra.org 70 i+the rest of the system. For example, if you unmount a partition within the Err z3bra.org 70 i+namespace, all the processes within it will see it as unmounted, while it Err z3bra.org 70 i+will remain mounted for all others processes on the host. Err z3bra.org 70 i+ Err z3bra.org 70 i+#### UTS (Unix Time-Sharing) Err z3bra.org 70 i+This will give the ability to change the host and domain name in the namespace Err z3bra.org 70 i+without changing it on the host. Err z3bra.org 70 i+ Err z3bra.org 70 i+#### IPC (Inter-Process Communication) Err z3bra.org 70 i+This namespace concern shared memory, System V message queues and sempaphores. Err z3bra.org 70 i+Processes in the namespace will be unable to communicate with the host's Err z3bra.org 70 i+processes this way. Err z3bra.org 70 i+ Err z3bra.org 70 i+#### network Err z3bra.org 70 i+Processes will have their own network stack. This includes the routing table, Err z3bra.org 70 i+firewall rules, sockets, and so on. Err z3bra.org 70 i+ Err z3bra.org 70 i+#### PID (Process IDentification) Err z3bra.org 70 i+Processes' IDs will get a different mapping that they have on the host. They Err z3bra.org 70 i+will get renumbered, starting from 1. Err z3bra.org 70 i+ Err z3bra.org 70 i+#### user Err z3bra.org 70 i+The namespaces will have their own set of user and group IDs. Err z3bra.org 70 i+ Err z3bra.org 70 i+### 2. making containers Err z3bra.org 70 i+ Err z3bra.org 70 i+Now that we know what containers are and how they work, it's time to make Err z3bra.org 70 i+some! Err z3bra.org 70 i+ Err z3bra.org 70 i+2.0 chroot Err z3bra.org 70 i+2.1 unshare / nsenter Err z3bra.org 70 i+2.2 ip-netns Err z3bra.org 70 i+ Err z3bra.org 70 i+3. cgroups Err z3bra.org 70 1diff --git a/Makefile b/Makefile /scm/monochromatic/file/Makefile.gph z3bra.org 70 it@@ -24,6 +24,7 @@ HEADER = head.html Err z3bra.org 70 i FOOTER = foot.html Err z3bra.org 70 i Err z3bra.org 70 i $(FEEDS): index.txt Err z3bra.org 70 i+ mkdir -p $(shell dirname $(FEEDS)) Err z3bra.org 70 i ./feeds.sh $< > $@ Err z3bra.org 70 i Err z3bra.org 70 i .txt.html: $(HEADER) $(FOOTER) Err z3bra.org 70 1diff --git a/config.mk b/config.mk /scm/monochromatic/file/config.mk.gph z3bra.org 70 it@@ -1,4 +1,4 @@ Err z3bra.org 70 i-MD =/usr/bin/markdown Err z3bra.org 70 i+MD = ./markdown Err z3bra.org 70 i Err z3bra.org 70 i NAME = monochromatic Err z3bra.org 70 i PREFIX = /var/www/blog.z3bra.org Err z3bra.org 70 it@@ -30,7 +30,8 @@ PAGES = index.html \ Err z3bra.org 70 i 2015/06/vomiting-colors.html \ Err z3bra.org 70 i 2015/08/cross-compiling-with-pcc-and-musl.html \ Err z3bra.org 70 i 2015/08/install-alpine-at-onlinenet.html \ Err z3bra.org 70 i- 2016/01/make-your-own-distro.html Err z3bra.org 70 i+ 2016/01/make-your-own-distro.html \ Err z3bra.org 70 i+ 2016/03/hand-crafted-containers.html Err z3bra.org 70 i Err z3bra.org 70 i FEEDS = rss/feed.xml Err z3bra.org 70 i EXTRA = css img vid data errors favicon.ico Err z3bra.org 70 .