Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Containerization primatives
Search
Sam Kottler
November 05, 2014
Technology
0
150
Containerization primatives
Sam Kottler
November 05, 2014
Tweet
Share
More Decks by Sam Kottler
See All by Sam Kottler
This is your database on Linux
skottler
0
280
How to Debug Anything - DevOpsDay PGH
skottler
1
1.2k
Icinga at DigitalOcean
skottler
1
1k
PuppetConf '14
skottler
0
230
Configuration Management Anti-Patterns
skottler
2
1.2k
Other Decks in Technology
See All in Technology
AI時代に非連続な成長を実現するエンジニアリング戦略
sansantech
PRO
3
970
シークレット管理だけじゃない!HashiCorp Vault でデータ暗号化をしよう / Beyond Secret Management! Let's Encrypt Data with HashiCorp Vault
nnstt1
3
170
ヒューリスティック評価を用いたゲームQA実践事例
gree_tech
PRO
0
460
Function Body Macros で、SwiftUI の View に Accessibility Identifier を自動付与する/Function Body Macros: Autogenerate accessibility identifiers for SwiftUI Views
miichan
2
160
Kubernetes における cgroup v2 でのOut-Of-Memory 問題の解決
pfn
PRO
0
450
LLM翻訳ツールの開発と海外のお客様対応等への社内導入事例
gree_tech
PRO
0
470
事業価値と Engineering
recruitengineers
PRO
8
5.5k
TypeScript入門
recruitengineers
PRO
35
12k
AIのグローバルトレンド2025 #scrummikawa / global ai trend
kyonmm
PRO
1
200
DuckDB-Wasmを使って ブラウザ上でRDBMSを動かす
hacusk
1
140
Grafana MCPサーバーによるAIエージェント経由でのGrafanaダッシュボード動的生成
hamadakoji
1
1.2k
Automating Web Accessibility Testing with AI Agents
maminami373
0
750
Featured
See All Featured
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
61k
YesSQL, Process and Tooling at Scale
rocio
173
14k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
252
21k
Rebuilding a faster, lazier Slack
samanthasiow
83
9.1k
Become a Pro
speakerdeck
PRO
29
5.5k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
Six Lessons from altMBA
skipperchong
28
4k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.8k
Automating Front-end Workflow
addyosmani
1370
200k
Build The Right Thing And Hit Your Dates
maggiecrowley
37
2.8k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Building Applications with DynamoDB
mza
96
6.6k
Transcript
CONTAINERIZATION PRIMITIVES Sam Kottler @samkottler
ABOUT ME • Work at DigitalOcean as a systems engineer
• Formerly of Red Hat, Venmo, Acquia • Committer/core for Puppet, Ansible, Fedora, CentOS, RubyGems, Bundler
WE’RE GONNA BE TALKING ABOUT LINUX
GOOD TO KNOW’S • What is a syscall • Basic
understanding of linux networking • Containers vs. virtualization
WHY DO WE CARE ABOUT ANY OF THIS?
CONTAINERS ARE THE PAST *, PRESENT, AND FUTURE * Most
of the linux ideas are poached from other OS’s
VIRTUALIZATION HAS BECOME MASSIVELY POPULAR BECAUSE OF ITS ECONOMICS
CONTAINERS ARE BECOMING MASSIVELY POPULAR BECAUSE THEY ALLOW LOGICAL SEPARATION
APPLICATION VS. FULL CONTAINERS
NETWORKS, USERS, AND PROCESSES
NAMESPACES • mnt: filesystem • pid: process • net: network
• ipc: SysV IPC • uts: hostname • user: UID
THE BASICS • Namespaces do not have names • Six
inodes exist under /proc/<pid>/ns • Each namespace has a unique inode
USERSPACE TOOLING • iproute2 • util-linux • systemd
NAMESPACE SYSCALLS • unshare() • moves existing process into a
new namespace • clone() • creates new process and namespace • setns() • joins an existing namespace
NETWORK ISOLATION • One namespace per networking device • Single
default namespace, init_net(*nets) • A lo device is included in every ns_net.
NETWORK NAMESPACES IN PRACTICE • ip netns add testns1 •
creates /var/run/netns/testns1 • route management per-NS • prevents cross-NS bonds • setns(int fd, int nstype) • validates namespace type vs. FD
SOCKET ISOLATION • Sockets are mapped into network namespaces •
Also part of a single network namespace • sk_net is part of the sock struct • sock_net()/sock_net_set() getter/setter
SOCKET ACTIVATION • Listen on a socket, but have no
services behind it • Request arrives, service is spun up, responds • Enabling 10k+ low-usage services on a VM
USER ISOLATION • Allows non-privileged usage • Often used as
the start of a namespace chain • UID’s come from the overflow rules
CGROUPS • Resource management • Around since 2006/2007 • Widely
used by userspace management tools
CGROUPS + NAMESPACES • “This PID can only see part
of the filesystem” • “This PID can only see part of the filesystem, use 384mb of memory, and utilize a single CPU.”
CGROUP IMPLEMENTATION • Hooks into fork() and exit() • VFS
of a new type called “cgroup” • More complex descriptors for task_struct • Procfs entry in /proc/<pid>/cgroup • All actions take place on the FS
CGROUP MANAGEMENT • 4 files per-cgroup • tasks • cgroup.procs
• cgroup.event_control • notify_on_release
CPU • Split into “shares” • Default is 2048 shares
• Linear CPU time use
MEMORY • Exposes most of the memory subsystem • NUMA
management • Most complex type of cgroup
LETS TALK ABOUT SECURITY…
SHARING A KERNEL IS INHERENTLY LESS SECURE
KERNEL VULNERABILITIES AROUND BREAKOUT ARE USUALLY MITIGATED BY RUNNING SERVICES
NON- PRIVILEGED
THANKS! • @samkottler • https://github.com/skottler •
[email protected]