31
Let’s isolate a process with no container.

container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

  • Upload
    others

  • View
    3

  • Download
    0

Embed Size (px)

Citation preview

Page 1: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

Let’s isolate a process with no container.

Page 2: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

Let’s isolate a process with no container.

Readable example with code and explanation: welcometothebundle.com/isolate-a-process-with-no-container-like-docker

Page 3: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

@liuggio welcometothebundle.com

Page 4: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

@liuggio Giulio De Donato

Page 5: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

What is a Container?

@liuggio Giulio De Donato

Page 6: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

“I once heard that hypervisors are the living proof of operating system's incompetence”

-- Glauber Costa's - LinuxCon Europe 2012

@liuggio Giulio De Donato

Page 7: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

... containers ...“I would love to say months, but let's get realistic”

-- Glauber Costa's - LinuxCon Europe 2012

@liuggio Giulio De Donato

Page 8: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

Is all about ISOLATION

@liuggio Giulio De Donato

Page 9: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

chroot?

@liuggio Giulio De Donato

Page 10: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

while true; do mkdir x; cd x; done

bomb() { bomb | bomb & }; bomb

Attacks

@liuggio Giulio De Donato

Page 11: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

GOAL OF TODAY:

http://9gag.com/gag/aGxbmGz

namespace cgroups ufs

@liuggio Giulio De Donato

Page 12: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

LXC vs DOCKER@liuggio Giulio De Donato

Page 13: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

Let’s start with the first set of slides

Once upon a time ...

@liuggio Giulio De Donato

Page 14: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

NAMESPACELinux 2.6.23 (released in late 2007)

6 namespaces- mnt (mount points, filesystems)- pid (processes)- net (network stack)- ipc (System V IPC)- uts (hostname)- user (UIDs)

Namespaces started in about 2002.

@liuggio Giulio De Donato

Page 15: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

Namespaces processes API consists of these 3 system calls:

● clone() - creates a new process and a new namespace; the newly created process is attached to the new namespace

● unshare()–gets only a single parameter, flags. Does not create a new process; creates a new namespace and attaches the calling processto it.

● setns()- a new system call, for attaching the calling process to an existing namespace;

@liuggio Giulio De Donato

Page 17: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

@liuggio Giulio De Donato

Page 18: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

CGroups!The cgroup (control groups) subsystem is a Resource Management and Resource Accounting/Tracking solution, providing a generic process - grouping framework

It handles resources such as memory, cpu, network, and more; mostly needed in both ends of the spectrum (servers and embedded).∎ Development was started by engineers at Google in 2006 under the name "process containers”∎ Merged into kernel 2.6.24 (2008).∎ cgroup core has 3 maintainers, and each cgroup controller has its own maintainer (cpu memory io)

@liuggio Giulio De Donato

Page 19: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

DEMO CGROUPS

https://asciinema.org/a/7w13btk2uethz2e57lgpfz5ymor https://goo.gl/NyPMFJ

3

@liuggio Giulio De Donato

Page 20: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

THIS IS A TREE

@liuggio Giulio De Donato

Page 21: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

THIS IS A TREE

@liuggio Giulio De Donato

Page 22: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

WHAT IS IT?

@liuggio Giulio De Donato

Page 23: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

DEMO UFS

apt-get install aufs-tools

https://asciinema.org/~liuggio https://asciinema.org/a/41778

2

@liuggio Giulio De Donato

Page 24: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

@liuggio Giulio De Donato

Page 25: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

Union File System

PRO

- File level- No caches

CONS

- Bad performance for big files- Not in kernel- Too much layers costs

● merge into a single directory 2 devices

● Combining a large, read-only file system with small write area (like livecd)

@liuggio Giulio De Donato

Page 26: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

ZFS is a combination of a volume manager (like LVM) and a filesystem (like ext4, xfs, or btrfs).ZFS one of the most beloved features of Solaris, universally coveted by every Linux sysadmin with a Solaris background.

● snapshots● copy-on-write cloning● continuous integrity checking against data corruption● automatic repair● efficient data compression

2016

@liuggio Giulio De Donato

Page 27: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

UFS

CGROUPS

namespace

@liuggio Giulio De Donato

Page 28: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

THANKS!@liuggio Giulio De Donato

Page 29: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

∎ www.welcometothebundle.com/isolate-a-process-with-no-container-like-docker∎ https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#namespaces ∎ https://www.opencontainers.org/news/faqs/who-will-be-initial-technical-leadership ∎ http://www.cyberciti.biz/faq/unix-linux-chroot-command-examples-usage-syntax/∎ http://s0.cyberciti.org/uploads/faq/2013/01/bash-chroot-ls-demo.gif∎ https://www.flockport.com/lxc-vs-docker/∎ http://ramirose.wix.com/ramirosen∎ https://lwn.net/Articles/532593/∎ https://lwn.net/Articles/531114/∎ https://lwn.net/Articles/531381/∎ https://lwn.net/Articles/528078/∎ https://docs.docker.com/engine/reference/run/∎ http://www.netdevconf.org/1.1/proceedings/slides/rosen-namespaces-cgroups-lxc.pdf∎ https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/∎ https://skillsmatter.com/skillscasts/7101-building-containers-from-scratch-for-fun-and-profit∎ https://docs.oracle.com/cd/E18752_01/html/817-5093/bkupsnapshot-9.html

∎ https://www.flickr.com/photos/15514374@N05/10164384915/in/photolist-guc8vM-eUsLmk-bUx1od-snDG6D-4EdN6w-dRNW5S-92a5Rc-bqLMQX-9W8h5y-b4nUUZ-qBTHgX-qP1gRX-bjCEPC-9tmmnk-eiz69R-dUwHXM-ff6xuP-J1cvu-7FC9CK-5QNat5-sniS97-dmWZqi-9FJL3F-e5QKNc-oaepa3-dHcamQ-4EJPTP-eB42Pm-aywhxM-eSZ6Gv-jhYq8x-cXnWtd-6HXxUg-8ZKp87-5BL32d-7g3EHP-4gc756-cBECqo-oBFK5Y-9fUMLY-e7z58s-oViSZU-pKrEsE-6J2D5b-6HXwrz-6HXxt8-9k3DeV-9k6CLy-qFGW5B-hrxHnf

∎ https://docs.docker.com/engine/userguide/storagedriver/device-mapper-driver/∎ https://docs.docker.com/engine/userguide/storagedriver/zfs-driver/∎ Presentation template by SlidesCarnival

C R

E D

I T S

Page 30: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

FATTI UN CONTAINERTUTTO TUO!!

@liuggio Giulio De Donato

Page 31: container. process with no Let’s isolate a€¦ · Namespaces processes API consists of these 3 system calls: clone() - creates a new process and a new namespace; the newly created

@liuggio Giulio De Donato

Have you ever heard about this?- What is- Who- Why