Containerization

[igormcsouza]

Explains how containarization works and the beatiful world of the chroot!

[igormcsouza]

What in the world is a container?

This is a question we all have, because of the nature of containers, it is very hard to explain to a starter what actually that is, but no panic... Let's figure it together!

In a couple of words, a container is an isolated process that get his own share of namespaces and resources, just like another machine would, but in reality, it uses the same kernel and resources that the host does. So a container is just a process, that thinks to be a host by itself.

The difference between a container and a virtual machine is that a VM also uses his own namespaces and resources, but it also uses his own kernel and emulate his own resources, instead of borrow from the host. That makes container so light weight, because they are just proccess, it is like running a normal application, but on a container which feels like another machine.

That is thanks the linux kernel, in 1979 on Unix Version 7 it is born the chroot command, this command allow us to make any folder on our filesystem become the root of the system for that process. That makes an isolation on a FS side. There is also other features from the kernel which is the Namespace and Cgroup that helps to isolate the rest. Creating a perfect container with everything it needs to think it's his own separeted machine. That's why containers are so much faster on a linux machine. In order to make this work on windoes and mac we need to create a linux VM first so we can start upon its kernel. On linux we can run natively, without installing anything else, we can actually do it now, on this repository, stick arount to see it coming to life.

After container became so popular, one of the biggest in the area, Docker created the OCI which creates some specification for all the containers runtimes to follow. With this is born RunC and ContainerD (which is not a runtime like RunC because it runs on top of RunC, but... ). The latest is used from Docker to run its thing, but others like Kubernets and Podman uses RunC.

Therefore, we are here to learn the kernel features, how does it works beneath all of this! Let's create our own Container Runtime in python.

What are the isolations we can make with linux kernel?

• Filesystem isolation (chroot): That level of isolation can make the entire system root start in a different place, which is good, because we can put on this isolated place only the files and folders we actually need to run a single application. If we don't need the ls command, no problem, is not there. This is also good for security, because anyone with access to this container, will not see any file from the host machine. We also can create filesystems for other distribution.

• Namespaces isolation (unshare): This isolation encapsulate the networking, user, process and other softwere stuff, which is very useful if we don't want to manage stuff on host just to spin up a web application, for example, we can drop all the networking we have on host and configure only the localhost and export a port and it's done.

• Hardware Resources isolation (cgrous): Isolate resources is good to limit usage of an specific application, like memory usage, cpu and other stuff. We can manage ourselves all the files or we can use tools such as libcgroup.

[igormcsouza]

Example on how to create a container

Creating a container from scratch is simple as changing directory, that's the magic behing chroot

#!/bin/bash

# Check if the user has sudo privileges
if [ $(id -u) -ne 0 ]; then
    echo "This script requires root privileges. Please run with sudo."
    exit 1
fi

# Define variables
ALPINE_VERSION="3.19.0"
ALPINE_TARBALL="alpine-minirootfs-${ALPINE_VERSION}-x86_64.tar.gz"
ALPINE_URL="http://dl-cdn.alpinelinux.org/alpine/latest-stable/releases/x86_64/${ALPINE_TARBALL}"
TARGET_DIR="./zoo"

# Check if the target file already exists
if [ -f "${ALPINE_TARBALL}" ]; then
    echo "The Alpine tarball (${ALPINE_TARBALL}) already exists."
else
    echo "Downloading Alpine tarball..."
    wget "${ALPINE_URL}"
fi

# Check if the target directory is empty
if [ -z "$(ls -A "${TARGET_DIR}")" ]; then
    echo "Extracting Alpine tarball to ${TARGET_DIR}..."
    tar -xzf "${ALPINE_TARBALL}" -C "${TARGET_DIR}"
fi

cp ./entrypoint ./zoo/opt/entrypoint

# Enter chroot environment
echo "Entering chroot environment..."
sudo unshare --mount --uts --ipc --pid --fork chroot "${TARGET_DIR}" /bin/sh /opt/entrypoint

[igormcsouza]

https://youtu.be/JOsWB50LmwQ?si=bWr5ACo2Df_PRgTF

Good talk about containerization

https://youtu.be/sK5i-N34im8?si=sLXZcOsW9kROCoIG

This is like the juice of what is a container