Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Containerization primatives
Search
Sam Kottler
November 05, 2014
Technology
0
150
Containerization primatives
Sam Kottler
November 05, 2014
Tweet
Share
More Decks by Sam Kottler
See All by Sam Kottler
This is your database on Linux
skottler
0
280
How to Debug Anything - DevOpsDay PGH
skottler
1
1.2k
Icinga at DigitalOcean
skottler
1
1k
PuppetConf '14
skottler
0
230
Configuration Management Anti-Patterns
skottler
2
1.2k
Other Decks in Technology
See All in Technology
自分がLinc’wellで提供しているプロダクトを理解するためにやったこと
murabayashi
1
150
LIXIL基幹システム刷新に立ち向かう技術的アプローチについて
tsukuha
1
1.1k
SREを知らずに SREマネージャーになった話 / How I Became an SRE Manager Without Knowing What SRE Is
moneyforward
0
240
ゼロから始めるSREの事業貢献 - 生成AI時代のSRE成長戦略と実践 / Starting SRE from Day One
shinyorke
PRO
0
210
ML Pipelineの開発と運用を OpenTelemetryで繋ぐ @ OpenTelemetry Meetup 2025-07
getty708
0
170
Maintainer Meetupで「生の声」を聞く ~講演だけじゃないKubeCon
logica0419
1
140
BEYOND THE RAG🚀 ~とりあえずRAG?を超えていけ! 本当に使えるAIエージェント&生成AIプロダクトを目指して~ / BEYOND-THE-RAG-Toward Practical-GenerativeAI-Products-AOAI-DevDay-2025
jnymyk
4
220
Shadow DOMとセキュリティ - 光と影の境界を探る / Shibuya.XSS techtalk #13
masatokinugawa
0
240
Railsの限界を超えろ!「家族アルバム みてね」の画像・動画の大規模アップロードを支えるアーキテクチャの変遷
ojima_h
2
210
今だから言えるセキュリティLT_Wordpress5.7.2未満を一斉アップデートせよ
cuebic9bic
2
200
How Do I Contact Jetblue Airlines® Reservation Number: Fast Support Guide
thejetblueairhelpsupport
0
270
[SRE NEXT 2025] すみずみまで暖かく照らすあなたの太陽でありたい
carnappopper
2
860
Featured
See All Featured
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
108
19k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
10
990
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
161
15k
[RailsConf 2023] Rails as a piece of cake
palkan
55
5.7k
Designing for Performance
lara
610
69k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.9k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
31
1.3k
Fireside Chat
paigeccino
37
3.5k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
50
5.5k
Side Projects
sachag
455
43k
A designer walks into a library…
pauljervisheath
207
24k
Scaling GitHub
holman
461
140k
Transcript
CONTAINERIZATION PRIMITIVES Sam Kottler @samkottler
ABOUT ME • Work at DigitalOcean as a systems engineer
• Formerly of Red Hat, Venmo, Acquia • Committer/core for Puppet, Ansible, Fedora, CentOS, RubyGems, Bundler
WE’RE GONNA BE TALKING ABOUT LINUX
GOOD TO KNOW’S • What is a syscall • Basic
understanding of linux networking • Containers vs. virtualization
WHY DO WE CARE ABOUT ANY OF THIS?
CONTAINERS ARE THE PAST *, PRESENT, AND FUTURE * Most
of the linux ideas are poached from other OS’s
VIRTUALIZATION HAS BECOME MASSIVELY POPULAR BECAUSE OF ITS ECONOMICS
CONTAINERS ARE BECOMING MASSIVELY POPULAR BECAUSE THEY ALLOW LOGICAL SEPARATION
APPLICATION VS. FULL CONTAINERS
NETWORKS, USERS, AND PROCESSES
NAMESPACES • mnt: filesystem • pid: process • net: network
• ipc: SysV IPC • uts: hostname • user: UID
THE BASICS • Namespaces do not have names • Six
inodes exist under /proc/<pid>/ns • Each namespace has a unique inode
USERSPACE TOOLING • iproute2 • util-linux • systemd
NAMESPACE SYSCALLS • unshare() • moves existing process into a
new namespace • clone() • creates new process and namespace • setns() • joins an existing namespace
NETWORK ISOLATION • One namespace per networking device • Single
default namespace, init_net(*nets) • A lo device is included in every ns_net.
NETWORK NAMESPACES IN PRACTICE • ip netns add testns1 •
creates /var/run/netns/testns1 • route management per-NS • prevents cross-NS bonds • setns(int fd, int nstype) • validates namespace type vs. FD
SOCKET ISOLATION • Sockets are mapped into network namespaces •
Also part of a single network namespace • sk_net is part of the sock struct • sock_net()/sock_net_set() getter/setter
SOCKET ACTIVATION • Listen on a socket, but have no
services behind it • Request arrives, service is spun up, responds • Enabling 10k+ low-usage services on a VM
USER ISOLATION • Allows non-privileged usage • Often used as
the start of a namespace chain • UID’s come from the overflow rules
CGROUPS • Resource management • Around since 2006/2007 • Widely
used by userspace management tools
CGROUPS + NAMESPACES • “This PID can only see part
of the filesystem” • “This PID can only see part of the filesystem, use 384mb of memory, and utilize a single CPU.”
CGROUP IMPLEMENTATION • Hooks into fork() and exit() • VFS
of a new type called “cgroup” • More complex descriptors for task_struct • Procfs entry in /proc/<pid>/cgroup • All actions take place on the FS
CGROUP MANAGEMENT • 4 files per-cgroup • tasks • cgroup.procs
• cgroup.event_control • notify_on_release
CPU • Split into “shares” • Default is 2048 shares
• Linear CPU time use
MEMORY • Exposes most of the memory subsystem • NUMA
management • Most complex type of cgroup
LETS TALK ABOUT SECURITY…
SHARING A KERNEL IS INHERENTLY LESS SECURE
KERNEL VULNERABILITIES AROUND BREAKOUT ARE USUALLY MITIGATED BY RUNNING SERVICES
NON- PRIVILEGED
THANKS! • @samkottler • https://github.com/skottler • shk@linux.com