Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

Introduction to Containers

Introduction to Containers

A short introduction to Linux containers.

Alexandre Vicenzi

May 18, 2022
Tweet

More Decks by Alexandre Vicenzi

Other Decks in Technology

Transcript

  1. Copyright © SUSE 2022 What is a Linux container? —

    A form to isolate applications from the host OS — Allow developers to pack all dependencies — Easy to move between environments — Easy to develop, deploy and manage — Extra layer of security
  2. Copyright © SUSE 2022 History time! — chroot introduced in

    1979 the concept of process isolation — FreeBSD Jails introduced in 2000 the concept of resources partition — Linux VServer (2001), the Jails mechanism for Linux — Open VZ (2005) introduced virtualized containers for Linux — cgroups (Linux resource partition) and LXC (LinuX Containers) – Introduced in the Linux 2.6 release in 2008 — Docker was introduced in 2013 – Containers started to explode in popularity
  3. Copyright © SUSE 2022 Do containers only exist in Linux?

    — Windows-based containers runs only on Windows — Linux-based containers runs on Linux and Windows — Docker can only run Linux-based containers – Uses a VM on Windows or WSL — FreeBSD and Solaris also have their own container implementation — macOS has no native container implementation – Can run Docker and Linux-based with VMs
  4. Copyright © SUSE 2022 Namespaces — Wraps global system resources

    — Processes think it has its own global resource — Processes can share namespaces or have exclusive access — Types available – Cgroup, IPC, Network, Mount, PID, Time, User, UTS
  5. Copyright © SUSE 2022 Control Groups (cgroups) — Isolates the

    resource usage – CPU, memory, disk I/O, network, etc. — Allow processes to be organized into hierarchical groups — Usage of resources can be limited and monitored — Version 1 – Many inconsistencies — Version 2 – Intended to replace v1 – Implements only a subset of controllers in v1
  6. Copyright © SUSE 2022 Capabilities — Fine-grained control over superuser

    permissions — Avoid the need to use root user – Process has "root access" to attributed capability but not entire system — Replaces the use setuid attribute — Root user can bypass all permission checks — For example – CAP_SYS_TIME allows the process to set system clock
  7. Copyright © SUSE 2022 Security — Secure Computing (seccomp) –

    Restrict syscalls usage — Linux Security Modules (LSM) – AppArmor, SELinux, Smack, etc
  8. Copyright © SUSE 2022 What is a container runtime? —

    Low level component used by container engines — Manages the container lifecycle – Creates and run containers – Not required to do much else — Provides information for container engines – Metadata, mount points — Responsible for setting up – cgroups, SELinux policy, App Armor rules
  9. Copyright © SUSE 2022 Popular runtimes — runC – Open

    Containers Initiative (OCI) reference implementation – User by Docker, CRI-O and others — crun — Railcar (deprecated) — Non OCI — LXC — systemd-nspawn — RKT (deprecated, former CoreOS container runtime)
  10. Copyright © SUSE 2022 Non-native runtimes — Kata Containers –

    Virtualized containers – VMs are lightweight – Stronger isolation and security — gVisor – Host kernel is not shared – Instead it uses a "unikernel" – Stronger isolation and security — Nabla Containers – Unikernel approach
  11. Copyright © SUSE 2022 What is a container runtime interface?

    — Kubernetes was originally based on Docker — Gained popularity and needed alternative runtime support — New spec is created to describe container orchestration – The Container Runtime Interface (CRI) — CRI allows to support multiple runtimes without custom changes — CRI has additional concerns than runtime – Image management and distribution, storage, networking and more
  12. Copyright © SUSE 2022 Popular CRI — containerd – Docker's

    high-level runtime interface – Uses runC by default — crio-o – RedHat implementation for Kubernetes – Uses runC or crun (with cgroups v2) — frakti – VM based CRI – Kata absorbed many features and frakti is less relevant today
  13. Copyright © SUSE 2022 What is a container engine? —

    Software that accepts user requests (CLI) — Engines do not run containers — Engines manages resources – Pull images, Remove images – Prepare container mount point – Prepare metadata for the runtime — Communicates with runtime to run user commands
  14. Copyright © SUSE 2022 Popular engines — Docker – The

    only single binary tool — Podman — nerdctl
  15. Copyright © SUSE 2022 © 2022 SUSE LLC. All Rights

    Reserved. SUSE and the SUSE logo are registered trademarks of SUSE LLC in the United States and other countries. All third-party trademarks are the property of their respective owners. For more information, contact SUSE at: +1 800 796 3700 (U.S./Canada) Maxfeldstrasse 5 90409 Nuremberg www.suse.com Thank you