CONTAINERS FUNDAMENTALS - ganeshahv/Contrail_SRE GitHub Wiki
root@ubuntu:~# apt install -y cgroup-tools
root@ubuntu:/sys/fs/cgroup/freezer/mycgroup# echo FROZEN > freezer.state
root@ubuntu:/sys/fs/cgroup/freezer/mycgroup# cat freezer.state
FROZEN
root@ubuntu:~# ip netns add namespace1
root@ubuntu:~# ip netns add namespace2
root@ubuntu:~# ip link add veth1 type veth peer name veth2
root@ubuntu:~# ip link set veth1 netns namespace1
root@ubuntu:~# ip link set veth2 netns namespace2
root@ubuntu:~# ip netns exec namespace1 ip link set dev veth1 up
root@ubuntu:~# ip netns exec namespace2 ip link set dev veth2 up
root@ubuntu:~# ip netns exec namespace1 ifconfig veth1 192.168.1.1 up
root@ubuntu:~# ip netns exec namespace2 ifconfig veth2 192.168.1.2 up
root@ganeshahv-instance-1:~# mkdir /root/dir1
root@ganeshahv-instance-1:~# mkdir /root/dir2
root@ganeshahv-instance-1:~# touch /root/dir1/f1
root@ganeshahv-instance-1:~# touch /root/dir1/f1.1
root@ganeshahv-instance-1:~# touch /root/dir2/f2
root@ganeshahv-instance-1:~# touch /root/dir2/f2.1
root@ganeshahv-instance-1:~# ls -l /root/dir2
total 0
-rw-r--r-- 1 root root 0 Jul 30 07:56 f2
-rw-r--r-- 1 root root 0 Jul 30 07:55 f2.1
root@ganeshahv-instance-1:~# mkdir /root/union
root@ganeshahv-instance-1:~# unionfs /root/dir1:/root/dir2/ /root/union/
root@ganeshahv-instance-1:~# ls /root/union/
f1 f1.1 f2 f2.1
| chroot | FreeBSD | Solaris Zones | OpenVZ | LXC | Systemd-nspawn |
|---|---|---|---|---|---|
| partial filesystem isolation nested virtualization shared system-resources susceptible to root attacks |
same kernel across jails all VMs need to use the same kernel |
virtualizes its hostname, network, IP address, and it has assigned storage |
share the same kernel can only run Linux Each container has its own virtual filesystem, users, processes, and network. |
namespace isolation isolate processes, the filesystem, network and users from the host operating system |
fully isolates containers from each other and from the host system |
apt install -y debootstrap
mkdir /mnt/chroot-ubuntu-xenial
debootstrap xenial /mnt/chroot-ubuntu-xenial/
cat /etc/os-release
chroot /mnt/chroot-ubuntu-xenial/ bash
cat /etc/os-release
ganeshahv_juniper_net@ganeshahv-instance-1:~$ grep $USER /etc/subgid
ganeshahv_juniper_net:951968:65536
ganeshahv_juniper_net@ganeshahv-instance-1:~$ grep $USER /etc/subuid
ganeshahv_juniper_net:951968:65536
ganeshahv_juniper_net@ganeshahv-instance-1:~$ cat .config/lxc/default.conf
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
lxc.idmap = u 0 951968 65536
lxc.idmap = g 0 951968 65536
ganeshahv_juniper_net@ganeshahv-instance-1:~# lxc-create -t download -n ganeshahv_lxc1
ganeshahv_juniper_net@ganeshahv-instance-1:~# lxc-start -n ganeshahv_lxc1 -d
ganeshahv_juniper_net@ganeshahv-instance-1:~# lxc-ls -f
ganeshahv_juniper_net@ganeshahv-instance-1:~# lxc-info -n ganeshahv_lxc1
ganeshahv_juniper_net@ganeshahv-instance-1:~# lxc-stop -n ganeshahv_lxc1
ganeshahv_juniper_net@ganeshahv-instance-1:~# lxc-destroy -n ganeshahv_lxc1
apt install -y systemd-container
debootstrap --arch=amd64 stable ~/DebianContainer
systemd-nspawn -bD ~/DebianContainer/
machinectl list
machinectl show DebianContainer
machinectl status DebianContainer
machinectl terminate DebianContainer
- The Runtime Specification defines how to run a "filesystem bundle" that is unpacked on disk.
- The Image Specification helps with the development of compatible tools to ensure consistent container image conversion into containers.
- A container bundle includes configuration data and root filesystem information required to load and run the container.
- The container runtime extracts the container image content and stores it on an overlay filesystem, that utilizes the Copy-on-Write mechanism for virtual file integrity.
- A container image is a template for a running container and it is created in the form of a tarball with configuration files.
- Container runtimes load images to run them as containers, therefore at runtime, a container becomes a running instance of an image.
- This shared storage location for the images is called an image registry.
- An image caching feature that allows for a downloaded container image to be reused for multiple deployments on a particular host is called container image repository.
- The key component required for the creation of a container image is the Dockerfile.
- A container is a process running on the host system.
- Namespaces virtualize the container process’s PID, network, root, and users.
- Cgroups help set resource usage limits the container process can consume on the host system.
- A widely used feature of Docker is its capability to build container images out of running containers. With
docker commit, we can create an image from a container and its most recent configuration. - Running as a daemon is not supported by rkt.
- CRI-O, the Kubernetes container runtime, has its networking designed to work with Kubernetes pods. Pod networking is set up through the Container Network Interface (CNI).