Author: z3bra <willyatmailoodotorg>
Date: Tue, 22 Mar 2016 23:44:28 +0100
new post: hand-crafted containers [WIP]
3 files changed, 79 insertions(+), 2 deletions(-)
diff --git a/2016/03/hand-crafted-containers.txt b/2016/03/hand-crafted-containers.txt
@@ -0,0 +1,75 @@
+# [Hand-made containers](#)
+## — 18 March, 2016
+### 0. intro
+Containers are the latest trend, for a good reason: they leave room for new
+ideas in terms of security, flexibility, performance and much more.
+But what are containers? It is a group of processes isolated together from the
+host operating system. This isolation can happen in different places
+(namespaces), be it in the network, the filesystem, the process tree, or all of
+them (there are more, in fact. More on this later).
+We can differenciate three types of containers:
++ operating system containers
++ application containers
++ I LIED!
+If we think about it, an operating system is a process `/sbin/init` that will
+spawn other subprocesses. This way, an operating system is nothing more than
+an application (a complex one). In this regard, there is only a single type of
+We can now focus on what's really important, how do they work?
+### 1. namespaces
+That's a keyword, so let's ask our internet god what it means:
+> In computing, a namespace is a set of symbols that are used to organize
+> objects of various kinds, so that these objects may be referred to by name.
+> -- sincerely, [wikipedia](https://en.wikipedia.org/wiki/Namespace)
+In other words, a namespace is a way to refer to one or more isolations applied
+to a process.
+When a namespace is created for a process, all its children will be created
+within this namespace, and inherit the "limitations" of the parent.
+The process will be able to mount and unmount filesystems without affecting
+the rest of the system. For example, if you unmount a partition within the
+namespace, all the processes within it will see it as unmounted, while it
+will remain mounted for all others processes on the host.
+#### UTS (Unix Time-Sharing)
+This will give the ability to change the host and domain name in the namespace
+without changing it on the host.
+#### IPC (Inter-Process Communication)
+This namespace concern shared memory, System V message queues and sempaphores.
+Processes in the namespace will be unable to communicate with the host's
+processes this way.
+Processes will have their own network stack. This includes the routing table,
+firewall rules, sockets, and so on.
+#### PID (Process IDentification)
+Processes' IDs will get a different mapping that they have on the host. They
+will get renumbered, starting from 1.
+The namespaces will have their own set of user and group IDs.
+### 2. making containers
+Now that we know what containers are and how they work, it's time to make
+2.1 unshare / nsenter
diff --git a/Makefile b/Makefile
@@ -24,6 +24,7 @@ HEADER = head.html
FOOTER = foot.html
+ mkdir -p $(shell dirname $(FEEDS))
./feeds.sh $< > $@
.txt.html: $(HEADER) $(FOOTER)
diff --git a/config.mk b/config.mk
@@ -1,4 +1,4 @@
+MD = ./markdown
NAME = monochromatic
PREFIX = /var/www/blog.z3bra.org
@@ -30,7 +30,8 @@ PAGES = index.html \
+ 2016/01/make-your-own-distro.html \
FEEDS = rss/feed.xml
EXTRA = css img vid data errors favicon.ico