Linux Containers
Container technology is now part of the CI/CD. Well-known are LXC and Docker.
What is the container?
There are lots of answers to this question, but the concise one that I like most is
Why containers are matter?
Because of isolation.
How?
The question I am going to try to answer in this story is to get insight into how containers work.
How to isolate an application at the operating system level?
The term of resource-isolated we mentioned before tells us where to look. Let’s walk through this concept.
As we know, an application corresponds to a process running on the operating system. Now, let’s start thinking at the process level and ask.
How to isolate a process at the operating system level?
Each process consumes the operating system resources to complete its execution. These resources used by processes are shared.
Let’s say a few.
- File System
- Network
- PID Tree
- I/O Devices
- Physical Resources(CPU, RAM)
If we can allocate a certain part of each resource to only one process, we can call that the process is resource-isolated.
In fact, container means a process the resources it uses are isolated rather than operating system virtualization.
Now, I think our perspective on the concept of the container has changed a little bit more. Let’s move forward with some concrete steps.
Consider the filesystem from the shared resources.
How can we allocate a part of the filesystem to a process? In other words, how to change the filesystem that a process runs on?
If we can achieve this, we would isolate the process from the filesystem and it only can access the files allocated to it. This means that it can not interfere with the filesystem of other processes on the operating system.
Remember, when we get into the Docker container and list the files, it seems as we are on a new operating system.
Let’s take help from the chroot command and leave it here with a demo for better understanding.
This command, which stands for Change Root, changes the root directory of the filesystem a process runs on.
As you know, everything is a file in Linux, so processes are also. The hierarchy in the Linux file system is that all files are located under the root directory, and each file path follows the root directory. With the chroot command, we can change the root directory of any process we want.
So, let’s try to create our own container environment by chrooting the bash process.
The bash allows us to access and manage the Linux operating system. All the processes we run are added under the process tree as children of the bash process.
Since we want to isolate the filesystem, let’s do a few preparations.
- Create a new directory acting as a root directory.
- Copy the bash command with its dependencies into the new root directory.
- Do the same for other commands(ls, pwd, mkdir, etc.) want to test.
- Create several new directories for testing.
- Run the
chroot /<new_root_directory> /bin/bashand go.
# create new directory acting as a root
mkdir /opt/newroot# copy the bash command with its dependencies into the new root directory.
# ldd command helps to list dependenciesldd /bin/bash
linux-vdso.so.1 => (0x00007ffc5a958000)
libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6
/lib64/ld-linux-x86-64.so.2mkdir /opt/newroot/bin
cp /bin/bash /opt/newroot/bin/bash
cp -a /lib /opt/newroot/lib
cp -a /lib64 /opt/newroot/lib64# let's do the same for the ls, pwd and cat commands.
cp /bin/{ls,pwd,mkdir,cat} /opt/newroot/bin/# Finally, let's add a few new directories.
mkdir /opt/newroot/opt /opt/newroot/tmp /opt/newroot/varchroot /opt/newroot /bin/bash
#!
Although we are actually under the /opt/newroot directory on the shell, it seems as under the different root directory and most importantly, as a new operating system.
Container technology is not built on chroot. The purpose of use here is to bring an insight into how container technology works. Container technology is developed on the namespaces that come with the Linux 2.6.24 version.
Let’s leave it here for now.
In the next story, we can go into topics such as namespace, cgroup, and get more detailed answers to the question of how, and then take a journey to LXC.
Your feedback is very important on issues that you think are incorrect or incomplete information.
