Exploring the technology and standards behind containers, diving deep into container runtime, and using containerd daemon to bring up containers to explain the inner workings.
Student aspiring to be security researcher / engineer Part of null’s Cloud Security Study Group Have been diving into Cloud and Cloud Native as a result 3 3
Picture this Docker → Docker Engine → docker & dockerd → Containers → cgroups / namespaces → containerd → runC → Ever tried to explore and understand what containers are, how docker works, how containers are made and then having terms like these confuse you? 5 5
Docker ~= Containers Docker almost synonymous with Containers. Containers are their own technology. Docker has abstracted them to making them usable for packaging applications. 7 7
Your docker run -it ubuntu bash command is Docker CLI. It communicates to dockerd , the Docker Daemon which is what pulls the image and spawns the container. 10 10
We’ve found new rabbit holes! “The Docker daemon relies on an OCI compliant runtime (invoked via the containerd daemon) as its interface to the Linux kernel namespaces , cgroups , and SELinux .” 13 13
That is one loaded sentence. Let’s break it down then. Not this kind of breakdown, although this truly was me when I was first trying to understand it. 14 14
cgroups Linux kernel feature that allow processes to be organized into hierarchical groups whose usage of resources can be monitored or controlled. 16 16
cgroups : Control the usage of resources namespaces : Control the visibility of resources You can make your own container from scratch using cgroups and namespaces ! 20 20
Coming back to the explanation Let’s do OCI next “The Docker daemon relies on a OCI compliant runtime (invoked via the containerd daemon) as its interface to the Linux kernel namespaces , cgroups , and SELinux .” 21 21
OCI (Open Container Initiative) It’s an open governance structure (formed by Docker, CoreOS etc.) to decide on container formats and runtimes. Designed to set standards and specifications so that; # Running an image
❯ docker run example.com/org/app:v1.0.0
❯ rkt run example.com/org/app:v1.0.0
❯ some-random-engine run example.com/org/app:v1.0.0
Runtime Specification: Defines how exactly does your container start and run when you run docker run . Image Specification: Defines the standard format of a container image. 23 23
"The Docker daemon relies on a OCI compliant runtime (invoked via the containerd daemon) as its interface to the Linux kernel namespaces , cgroups , and SELinux .” 25 25
Hands on with containerd containerd is a Go-native way to bring up and spawn containers. You can use control containerd manually too! ctr : containerd CLI tool Go APIs 32 32
altglitch
sinsoku
keiko713
revcomm_inc
tomoaki25
lemiorhan
yuhattor
sugawani
sansantech
moritamasami
baseballyama
oracle4engineer
rasmusluckow
jrom
deanohume
carmenintech
brettharned
lauravandoore
maltzj
tammielis
keavy
kastner
hatefulcrawdad
phodgson