You have probably heard a lot about containers. But what are they really? Some talk about them as lightweight VMs, others put an equation sign between containers and projects like LXC, Docker and Rocket. It is so confusing! In reality containers are simple. They are built by direct usage of modern linux kernel features and all aforementioned projects are generally doing the same thing while providing a slightly different mental model. If you want to build a container all you really need is a relatively new linux distro on your laptop. Join us to learn what a container is and how to build one by yourself without installing Docker or LXC, even without writing code.

1. DIY Containers

2. whoami
◇ uid=Georgi Sabev
◇ gid=SAP
◇ groups=SAP,Garden

3. What is a
container?

4. From the outside
◇ Runs different linux distros
◇ Ssh to it as root
◇ Install software
◇ Feels like a VM

5. However
◇ Cannot run different OSes
◇ Immensely faster/lighter.
◇ Shares same kernel with other containers
◇ All processes visible from outside
◇ Process on steroids

6. How do I
build one?

7. You will not need
◇ Docker, LXC, Rocket, etc
◇ Programming skills
◇ Superpowers

8. You will need
◇ A recent linux kernel
◇ Root privileges
◇ Duct tape

9. Building
Blocks

10. Containers don’t exist
◇ No first class concept for container
◇ First class concepts for resource isolation
◇ Processes running in isolation
◇ It’s mostly duct tape

11. Namespaces
◇ Isolate certain aspects of a process
◇ Give the process a view of the system
◇ Every process is running in one namespace of
each type

12. Namespaces
◇ Mount
◇ Net
◇ User
◇ Pid
◇ Ipc
◇ Uts
◇ Cgroup

13. Namespace Operations
◇ Created by unshare command
◇ Can be nested
◇ Initially identical to parent namespace
◇ Live until last process in namespace exits
◇ Changes go away with the namespace
◇ Can be joined using the nsenter command

14. The UTS Namespace
unshare -u
hostname container

15. Small
detour...

16. Virtual filesystems
◇ Everything is a file
◇ Export network storage, memory or kernel data
via the filesystem interface
◇ The /proc filesystem

17. /proc
ll /proc
cat /proc/self/environ
ll /proc/self/ns

18. Root filesystem
◇ Mounted on /
◇ Contains vital binaries and configurations
◇ Accessible via /proc/self/root
◇ Other filesystems are mounted on dirs in th rootfs
◇ Mountpoints visible in /proc/mounts

19. Back on
track

20. The Mount Namespace
unshare -m
mount -t tmpfs none test
cat /proc/mounts
touch test/a

21. Changing the rootfs
◇ chroot
◇ pivot_root

22. pivot_root
debootstrap xenial rootfs/
unshare -m
mount --bind rootfs/ rootfs/
pivot_root rootfs/ rootfs/old
cd /
umount -l old/

23. The Pid Namespace
unshare -mpf
mount -t proc none /proc
ls /proc
ps -ef
# from outside run
ps -ef

24. Entering namespaces
nsenter -t <pid> -m -p

25. The User namespace
◇ Container to host uid mappings
◇ Root in container, unprivileged on the host
◇ User nobody

26. The User namespace
unshare -U
whoami
echo ‘0 1000 1’ > /proc/<pid>/uid_mapping

27. Combining all

28. Let’s Recap
unshare -Uumpf # as uid 1000
echo ‘0 1000 1’ > /proc/<pid>/{u,g}id_mapping
mount --bind rootfs/ rootfs/
mount -t proc none rootfs/proc
pivot_root rootfs/ rootfs/old
cd / && umount -l old/
hostname container
exec /bin/bash

29. Summary
◇ There are no containers
◇ It is like lego
◇ Docker is just one lego set

30. Thanks!
Any questions?
You can find me at:
◇ georgi.sabev@sap.com