Containers:
Under the Hood
Vincent Batts @vbatts
$> finger $(whoami)
Login: vbatts Name: Vincent Batts
Directory: /home/vbatts Shell: /bin/bash
Such mail.
Plan:
OHMAN
$> id -Gn
devel opencontainers docker appc redhat golang slackware
Hands-on:
- capabilities
- Syscalls
- Namespaces
- Copy-On-Write (CoW)
- Archives
p.s. Don't forget to fill out the surveys!
So,
Why, Containers?
Single Application
Full System
But Not a VM
Except Maybe a VM
Pods of applications
Labels of services
Non-root
Desktop Applications
OMG AND CATS
But Wait,
What does "container" mean to you?
Capabilities
- capabilities(7)
- setpriv(1) (only on some versions of util-linux)
- capsh(1)
- proc(5)
Demo
Good Idea:
Bad Idea:
whistling while you work
whistling while you eat
Demo
Syscalls
Good Idea:
Bad Idea:
feeding a stray kitten in the park
feeding a stray kitten in the park to a bear
Demo
Namespaces
Good Idea:
Bad Idea:
playing catch with your grandpa
playing catch with your grandpa
Demo
Copy-on-write (COW)
Good Idea:
Bad Idea:
being served breakfast in bed
being served tennis balls in bed
FS *MAGIC*
Good Idea:
Bad Idea:
ordering a chili dog to go
ordering a chili dog that makes you go
tar archives
Good Idea:
Bad Idea:
Dressing up at Halloween as a pirate
Dressing up at Halloween as a piñata