monochromatic

monochromatic blog: http://blog.z3bra.org
git clone git://z3bra.org/monochromatic
Log | Files | Refs

commit 076c73eb2cf52b5b1fdac70165a64c1566c4b053
parent a26a56e2b2b6ce9160eea02f98e29b3800e31da1
Author: z3bra <willyatmailoodotorg>
Date:   Tue, 22 Mar 2016 23:44:28 +0100

new post: hand-crafted containers [WIP]

Diffstat:
2016/03/hand-crafted-containers.txt | 75+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Makefile | 1+
config.mk | 5+++--
3 files changed, 79 insertions(+), 2 deletions(-)

diff --git a/2016/03/hand-crafted-containers.txt b/2016/03/hand-crafted-containers.txt @@ -0,0 +1,75 @@ +# [Hand-made containers](#) +## &mdash; 18 March, 2016 + +### 0. intro + +Containers are the latest trend, for a good reason: they leave room for new +ideas in terms of security, flexibility, performance and much more. + +But what are containers? It is a group of processes isolated together from the +host operating system. This isolation can happen in different places +(namespaces), be it in the network, the filesystem, the process tree, or all of +them (there are more, in fact. More on this later). + +We can differenciate three types of containers: + ++ operating system containers ++ application containers ++ I LIED! + +If we think about it, an operating system is a process `/sbin/init` that will +spawn other subprocesses. This way, an operating system is nothing more than +an application (a complex one). In this regard, there is only a single type of +containers. +We can now focus on what's really important, how do they work? + +### 1. namespaces + +That's a keyword, so let's ask our internet god what it means: + +> In computing, a namespace is a set of symbols that are used to organize +> objects of various kinds, so that these objects may be referred to by name. +> +> -- sincerely, [wikipedia](https://en.wikipedia.org/wiki/Namespace) + +In other words, a namespace is a way to refer to one or more isolations applied +to a process. +When a namespace is created for a process, all its children will be created +within this namespace, and inherit the "limitations" of the parent. + +#### mount +The process will be able to mount and unmount filesystems without affecting +the rest of the system. For example, if you unmount a partition within the +namespace, all the processes within it will see it as unmounted, while it +will remain mounted for all others processes on the host. + +#### UTS (Unix Time-Sharing) +This will give the ability to change the host and domain name in the namespace +without changing it on the host. + +#### IPC (Inter-Process Communication) +This namespace concern shared memory, System V message queues and sempaphores. +Processes in the namespace will be unable to communicate with the host's +processes this way. + +#### network +Processes will have their own network stack. This includes the routing table, +firewall rules, sockets, and so on. + +#### PID (Process IDentification) +Processes' IDs will get a different mapping that they have on the host. They +will get renumbered, starting from 1. + +#### user +The namespaces will have their own set of user and group IDs. + +### 2. making containers + +Now that we know what containers are and how they work, it's time to make +some! + +2.0 chroot +2.1 unshare / nsenter +2.2 ip-netns + +3. cgroups diff --git a/Makefile b/Makefile @@ -24,6 +24,7 @@ HEADER = head.html FOOTER = foot.html $(FEEDS): index.txt + mkdir -p $(shell dirname $(FEEDS)) ./feeds.sh $< > $@ .txt.html: $(HEADER) $(FOOTER) diff --git a/config.mk b/config.mk @@ -1,4 +1,4 @@ -MD =/usr/bin/markdown +MD = ./markdown NAME = monochromatic PREFIX = /var/www/blog.z3bra.org @@ -30,7 +30,8 @@ PAGES = index.html \ 2015/06/vomiting-colors.html \ 2015/08/cross-compiling-with-pcc-and-musl.html \ 2015/08/install-alpine-at-onlinenet.html \ - 2016/01/make-your-own-distro.html + 2016/01/make-your-own-distro.html \ + 2016/03/hand-crafted-containers.html FEEDS = rss/feed.xml EXTRA = css img vid data errors favicon.ico