containers: under the hood (vincent batts)
TRANSCRIPT
$> finger $(whoami)Login: vbatts Name: Vincent BattsDirectory: /home/vbatts Shell: /bin/bashSuch mail.Plan:OHMAN$> id -Gndevel opencontainers docker appc redhat golang slackware
H A N D S - O N :
capabilitiesSyscallsCopy-On-Write (CoW)ArchivesNamespaces
p.s. Don't forget to fill out the surveys!
S O,W H Y, C O N TA I N E R S ?
Single Application
Full System
But Not a VM
Except Maybe a VM
Pods of applications
Labels of services
Non-root
Desktop Applications
OMG AND CATS
https://www.flickr.com/photos/27549668@N03/
C A PA B I L I T I E S
(only on some versions of util-linux)capabilities(7)setpriv(1)capsh(1)proc(5)
DEMO
DEMO
SY S C A L L S
seccomp(2)proc(5)
GOOD IDEA:
BAD IDEA:
feeding a stray kitten in the park
feeding a stray kitten in the park to a bear
DEMO
N A M E S PAC E S
unshare(1)proc(5)lsns(8)
DEMO
C O P Y- O N - W R I T E ( C O W )
lvmthin(7)btrfs-subvolume(8)overlayFS
F S * M AG I C *
shared subtree propogation
TA R A R C H I V E S
formattar-split