Understanding Containers through their Runtimes

Transcript

1. Understanding Containers through their Runtimes Siddharth Balyan 1 1

2. ❯ whoami 2 2

3. Student aspiring to be security researcher / engineer Part of

   null’s Cloud Security Study Group Have been diving into Cloud and Cloud Native as a result 3 3

4. Topics covered Docker and Containers Technologies behind a container (

   cgroups ; namespaces ; OCI; Container Runtime ) Container Runtime & containerd Hands-on on containerd using CLI and Golang API 4 4

5. Picture this Docker → Docker Engine → docker & dockerd

   → Containers → cgroups / namespaces → containerd → runC → Ever tried to explore and understand what containers are, how docker works, how containers are made and then having terms like these confuse you? 5 5

6. What are containers and where have you seen them 6

   6

7. Docker ~= Containers Docker almost synonymous with Containers. Containers are

   their own technology. Docker has abstracted them to making them usable for packaging applications. 7 7

8. Docker Architecture 8 8

9. So how does Docker work? 9 9

10. Your docker run -it ubuntu bash command is Docker CLI.

    It communicates to dockerd , the Docker Daemon which is what pulls the image and spawns the container. 10 10

11. 11 11

12. Let’s try to get a better understanding On to the

    documentation we go. 12 12

13. We’ve found new rabbit holes! “The Docker daemon relies on

    an OCI compliant runtime (invoked via the containerd daemon) as its interface to the Linux kernel namespaces , cgroups , and SELinux .” 13 13

14. That is one loaded sentence. Let’s break it down then.

    Not this kind of breakdown, although this truly was me when I was first trying to understand it. 14 14

15. Topic Breakdown The statement can be broken into 3 topics

    cgroups and namespaces OCI - Open Containers Initiative Container Runtimes 15 15

16. cgroups Linux kernel feature that allow processes to be organized

    into hierarchical groups whose usage of resources can be monitored or controlled. 16 16

17. 17 17

18. namespaces Linux kernel feature that partitions the kernel resources so

    that one set of resources can only view a specific set of resources. 18 18

19. 19 19

20. cgroups : Control the usage of resources namespaces : Control

    the visibility of resources You can make your own container from scratch using cgroups and namespaces ! 20 20

21. Coming back to the explanation Let’s do OCI next “The

    Docker daemon relies on a OCI compliant runtime (invoked via the containerd daemon) as its interface to the Linux kernel namespaces , cgroups , and SELinux .” 21 21

22. OCI (Open Container Initiative) It’s an open governance structure (formed

    by Docker, CoreOS etc.) to decide on container formats and runtimes. Designed to set standards and specifications so that; # Running an image ❯ docker run example.com/org/app:v1.0.0 ❯ rkt run example.com/org/app:v1.0.0 ❯ some-random-engine run example.com/org/app:v1.0.0 22 22

23. Runtime Specification: Defines how exactly does your container start and

    run when you run docker run . Image Specification: Defines the standard format of a container image. 23 23

24. So, OCI has defined a runtime standard which is to

    be followed by software programs which run the containers… 24 24

25. "The Docker daemon relies on a OCI compliant runtime (invoked

    via the containerd daemon) as its interface to the Linux kernel namespaces , cgroups , and SELinux .” 25 25

26. Container Runtime Container Runtimes: This is the software component that

    executes the containers on the host system. dockerd containerd cri-o 26 26

27. 27 27

28. 28 28

29. runC ??? 29 29

30. OCI ⇾ runC ⇾ containerd ⇾ dockerd ⇾ docker CLI

    ⇾ docker run -it ubuntu bash 30 30

31. 31 31

32. Hands on with containerd containerd is a Go-native way to

    bring up and spawn containers. You can use control containerd manually too! ctr : containerd CLI tool Go APIs 32 32

33. 33 33

34. containerd with ctr Pull and import images Create containers Start

    processes in containers Kill containers and images 34 34

35. containerd with Golang Using containerd Go APIs to: Pull an

    image Create, start and exit a task 35 35

36. References Ivan Velichko’s blogs: https://iximiuz.com/en/posts/oci- containers/ containerd Documentation: https://pkg.go.dev/github.com/containerd/containerd#se readme

    containerd Getting Started Page: https://containerd.io/docs/getting-started/ Demystifying Containers Series: https://github.com/saschagrunert/demystifying-containe 36 36