tnew post: hand-crafted containers [WIP] - monochromatic - monochromatic blog: http://blog.z3bra.org
(HTM) git clone git://z3bra.org/monochromatic
(DIR) Log
(DIR) Files
(DIR) Refs
---
(DIR) commit 076c73eb2cf52b5b1fdac70165a64c1566c4b053
(DIR) parent a26a56e2b2b6ce9160eea02f98e29b3800e31da1
(HTM) Author: z3bra <willyatmailoodotorg>
Date: Tue, 22 Mar 2016 23:44:28 +0100
new post: hand-crafted containers [WIP]
Diffstat:
A 2016/03/hand-crafted-containers.txt | 75 +++++++++++++++++++++++++++++++
M Makefile | 1 +
M config.mk | 5 +++--
3 files changed, 79 insertions(+), 2 deletions(-)
---
(DIR) diff --git a/2016/03/hand-crafted-containers.txt b/2016/03/hand-crafted-containers.txt
t@@ -0,0 +1,75 @@
+# [Hand-made containers](#)
+## — 18 March, 2016
+
+### 0. intro
+
+Containers are the latest trend, for a good reason: they leave room for new
+ideas in terms of security, flexibility, performance and much more.
+
+But what are containers? It is a group of processes isolated together from the
+host operating system. This isolation can happen in different places
+(namespaces), be it in the network, the filesystem, the process tree, or all of
+them (there are more, in fact. More on this later).
+
+We can differenciate three types of containers:
+
++ operating system containers
++ application containers
++ I LIED!
+
+If we think about it, an operating system is a process `/sbin/init` that will
+spawn other subprocesses. This way, an operating system is nothing more than
+an application (a complex one). In this regard, there is only a single type of
+containers.
+We can now focus on what's really important, how do they work?
+
+### 1. namespaces
+
+That's a keyword, so let's ask our internet god what it means:
+
+> In computing, a namespace is a set of symbols that are used to organize
+> objects of various kinds, so that these objects may be referred to by name.
+>
+> -- sincerely, [wikipedia](https://en.wikipedia.org/wiki/Namespace)
+
+In other words, a namespace is a way to refer to one or more isolations applied
+to a process.
+When a namespace is created for a process, all its children will be created
+within this namespace, and inherit the "limitations" of the parent.
+
+#### mount
+The process will be able to mount and unmount filesystems without affecting
+the rest of the system. For example, if you unmount a partition within the
+namespace, all the processes within it will see it as unmounted, while it
+will remain mounted for all others processes on the host.
+
+#### UTS (Unix Time-Sharing)
+This will give the ability to change the host and domain name in the namespace
+without changing it on the host.
+
+#### IPC (Inter-Process Communication)
+This namespace concern shared memory, System V message queues and sempaphores.
+Processes in the namespace will be unable to communicate with the host's
+processes this way.
+
+#### network
+Processes will have their own network stack. This includes the routing table,
+firewall rules, sockets, and so on.
+
+#### PID (Process IDentification)
+Processes' IDs will get a different mapping that they have on the host. They
+will get renumbered, starting from 1.
+
+#### user
+The namespaces will have their own set of user and group IDs.
+
+### 2. making containers
+
+Now that we know what containers are and how they work, it's time to make
+some!
+
+2.0 chroot
+2.1 unshare / nsenter
+2.2 ip-netns
+
+3. cgroups
(DIR) diff --git a/Makefile b/Makefile
t@@ -24,6 +24,7 @@ HEADER = head.html
FOOTER = foot.html
$(FEEDS): index.txt
+ mkdir -p $(shell dirname $(FEEDS))
./feeds.sh $< > $@
.txt.html: $(HEADER) $(FOOTER)
(DIR) diff --git a/config.mk b/config.mk
t@@ -1,4 +1,4 @@
-MD =/usr/bin/markdown
+MD = ./markdown
NAME = monochromatic
PREFIX = /var/www/blog.z3bra.org
t@@ -30,7 +30,8 @@ PAGES = index.html \
2015/06/vomiting-colors.html \
2015/08/cross-compiling-with-pcc-and-musl.html \
2015/08/install-alpine-at-onlinenet.html \
- 2016/01/make-your-own-distro.html
+ 2016/01/make-your-own-distro.html \
+ 2016/03/hand-crafted-containers.html
FEEDS = rss/feed.xml
EXTRA = css img vid data errors favicon.ico