Containers

A container is simply a portable software package. In this article, let’s go through the evolution of virtualization and containers.

References

• Docker security | Docker Documentation

chroot

• chroot was added into Unix 7 in 1982.
• It is a way to change the root directory for the currently running process.
• A chroot environment can be used to create and host a separate virtualized copy of the software system.
• Linux jail/chroot jail
  • A jail is a directory tree within your file system. A user cannot see any directories or files that are outside the jail directory. Therefore, the user is jailed in that directory and its subdirectories.
• Limitation: A root user might bypass any restricted access. It is recommended to use non-root users to run processes in the chroot environment.

https://en.wikipedia.org/wiki/Chroot

[root ~]# mkdir /home/myroot
[root ~]# cd /home/myroot
[root myroot]# pwd
/home/myroot

[root myroot]# mkdir /home/myroot/bin
[root myroot]# mkdir /home/myroot/lib64
[root myroot]# ls
bin  lib64

[root myroot]# cp /bin/ls /home/myroot/bin/
[root myroot]# cp /bin/bash /home/myroot/bin/

[root myroot]# ldd /bin/ls
        linux-vdso.so.1 =>  (0x00007ffd2fd6f000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f7088f7e000)
        libcap.so.2 => /lib64/libcap.so.2 (0x00007f7088d79000)
        libacl.so.1 => /lib64/libacl.so.1 (0x00007f7088b70000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f70887a2000)
        libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f7088540000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007f708833c000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f70891a5000)
        libattr.so.1 => /lib64/libattr.so.1 (0x00007f7088137000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f7087f1b000)
[root myroot]# cp /lib64/libselinux.so.1 /home/myroot/lib64/
[root myroot]# cp /lib64/libcap.so.2 /home/myroot/lib64/
[root myroot]# cp /lib64/libacl.so.1 /home/myroot/lib64/
[root myroot]# cp /lib64/libc.so.6 /home/myroot/lib64/
[root myroot]# cp /lib64/libpcre.so.1 /home/myroot/lib64/
[root myroot]# cp /lib64/libdl.so.2 /home/myroot/lib64/
[root myroot]# cp /lib64/ld-linux-x86-64.so.2 /home/myroot/lib64/
[root myroot]# cp /lib64/libattr.so.1 /home/myroot/lib64/
[root myroot]# cp /lib64/libpthread.so.0 /home/myroot/lib64/

[root myroot]# ldd /bin/bash
        linux-vdso.so.1 =>  (0x00007ffe619cd000)
        libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00007fa9c8c11000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007fa9c8a0d000)
        libc.so.6 => /lib64/libc.so.6 (0x00007fa9c863f000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fa9c8e3b000)
[root myroot]# cp /lib64/libtinfo.so.5 /home/myroot/lib64/

[root myroot]# chroot /home/myroot /bin/bash
bash-4.2# ls
bin  lib64
bash-4.2# vi test.txt
bash: vi: command not found
bash-4.2# cat --help
bash: cat: command not found
bash-4.2# exit
exit

In this isolated chroot environment, you can only use the “ls” command.

Linux Namespaces

• Namespaces allow for partitioning kernel resources and have been used since 2002.

• One set of processes can only see the allocated resources. Other processes see a different set of resources.
• https://en.wikipedia.org/wiki/Linux_namespaces

namespaces

• mnt (Mount): A mount controls the mount points that are visible to each process.
• pid (Process ID): The pid namespace provides processes with an independent set of process IDs from other namespaces.
• net (Network): The net namespace allows each process to have its own network stack.
• ipc (Interprocess Communication)
• uts (Unix Time Sharing): A single system can have different host and domain names to different processes.
• user (User ID): Key security feature, users (UIDs) and groups (GIDs)
• cgroup (Control Group):

[root ~]# ip netns list
[root ~]# ip netns add test-ns
[root ~]# ip netns list
test-ns

Control Groups

The “control group” is a Linux kernel feature that limits and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a set of processes.

Control Group Subsystems

A subsystem is a kernel component that changes the behavior of the processes or tasks in a control group.

• blkio: the amounts of I/Os for each set of processes; used to set throttle limits.
• cpu: CPU usage and report
• device: access to devices
• freezer: suspends or resumes tasks in a cgroup
• memory: memory usage and report
• net_cls: tracks the packets from a particular cgroup task by tagging network packets with a classid
• net_prio: sets the priority of network traffic

Virtualization

• A virtual machine (VM) is the virtualization/emulation of a computer system.
• A hypervisor is a type of software, firmware, or hardware that creates and runs virtual machines.

Type-1 hypervisors (native or bare-metal)

• These hypervisors run directly on the host’s hardware to control the hardware and manage guest operating systems.

Type-2 hypervisors (hosted)

• These hypervisors run on a conventional OS just as other computer programs do. They abstract guest OSs from the host operating system.

LXC/LXD

LXC (Linux Containers)

• LXC is OS-level virtualization for running multiple isolated Linux containers using a single Linux kernel.

The Linux kernel provides the cgroups functionality that allows limitation and prioritization of resources (CPU, memory, block I/O, network, etc.) without the need for starting any virtual machines, and also the namespace isolation functionality that allows complete isolation of an application’s view of the operating environment, including process trees, networking, user IDs and mounted file systems. LXC combines the kernel’s cgroups and support for isolated namespaces to provide an isolated environment for applications.

https://en.wikipedia.org/wiki/LXC

• LXD (Linux Container Daemon) is an open-source container management extension for LXC. It is built on top of LXC and aims to provide a better user experience.