Download - Understanding and building Your Own Docker
![Page 1: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/1.jpg)
1/22
Building blocks of Linux Containers
Motiejus [email protected]
@mo kelione
2016-11-18
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 2: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/2.jpg)
2/22
Table of Contents
IntroductionWhy meA container in Linux is...
NamespacesIsolation in LinuxWhat did we just do
File systems and COW
What did we forget?Leftover elephants in the room
The End
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 3: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/3.jpg)
3/22
Conclusion!
Devil Hides in The Details
I Many use Docker.I We lack time to understand.
I You need to understand infra to successfullytroubleshoot infra.
I There are trade-offs in the configuration.
I Make container engine in 30 minutes.
I Details!
→ You will still pick existing tools.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 4: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/4.jpg)
3/22
Conclusion!
Devil Hides in The Details.
I Many use Docker.I We lack time to understand.
I You need to understand infra to successfullytroubleshoot infra.
I There are trade-offs in the configuration.
I Make container engine in 30 minutes.
I Details!
→ You will still pick existing tools.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 5: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/5.jpg)
3/22
Conclusion!
Devil Hides in The Details?
I Many use Docker.I We lack time to understand.
I You need to understand infra to successfullytroubleshoot infra.
I There are trade-offs in the configuration.
I Make container engine in 30 minutes.
I Details!
→ You will still pick existing tools.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 6: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/6.jpg)
3/22
Conclusion!
Devil Hides in The Details?
I Many use Docker.
I We lack time to understand.
I You need to understand infra to successfullytroubleshoot infra.
I There are trade-offs in the configuration.
I Make container engine in 30 minutes.
I Details!
→ You will still pick existing tools.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 7: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/7.jpg)
3/22
Conclusion!
Devil Hides in The Details?
I Many use Docker.I We lack time to understand.
I You need to understand infra to successfullytroubleshoot infra.
I There are trade-offs in the configuration.
I Make container engine in 30 minutes.
I Details!
→ You will still pick existing tools.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 8: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/8.jpg)
3/22
Conclusion!
Devil Hides in The Details?
I Many use Docker.I We lack time to understand.
I You need to understand infra to successfullytroubleshoot infra.
I There are trade-offs in the configuration.
I Make container engine in 30 minutes.
I Details!
→ You will still pick existing tools.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 9: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/9.jpg)
3/22
Conclusion!
Devil Hides in The Details?
I Many use Docker.I We lack time to understand.
I You need to understand infra to successfullytroubleshoot infra.
I There are trade-offs in the configuration.
I Make container engine in 30 minutes.
I Details!
→ You will still pick existing tools.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 10: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/10.jpg)
3/22
Conclusion!
Devil Hides in The Details?
I Many use Docker.I We lack time to understand.
I You need to understand infra to successfullytroubleshoot infra.
I There are trade-offs in the configuration.
I Make container engine in 30 minutes.
I Details!
→ You will still pick existing tools.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 11: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/11.jpg)
3/22
Conclusion!
Devil Hides in The Details?
I Many use Docker.I We lack time to understand.
I You need to understand infra to successfullytroubleshoot infra.
I There are trade-offs in the configuration.
I Make container engine in 30 minutes.
I Details!
→ You will still pick existing tools.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 12: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/12.jpg)
3/22
Conclusion!
Devil Hides in The Details?
I Many use Docker.I We lack time to understand.
I You need to understand infra to successfullytroubleshoot infra.
I There are trade-offs in the configuration.
I Make container engine in 30 minutes.
I Details! → You will still pick existing tools.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 13: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/13.jpg)
4/22
Why me
My resume: oncall experience.
I 2009− 2012 Telecom (Dev + Ops).
I 2012− 2014 Online Gaming (Dev + Ops).
I 2014− 2016 Amazon (Dev + Ops).I 2016− now Uber (Dev + Ops):
I From 2016.02: Dev.I From 2016.11: SRE.
I had to understand how exactly infrastructureworks.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 14: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/14.jpg)
4/22
Why me
My resume: oncall experience.
I 2009− 2012 Telecom (Dev + Ops).
I 2012− 2014 Online Gaming (Dev + Ops).
I 2014− 2016 Amazon (Dev + Ops).I 2016− now Uber (Dev + Ops):
I From 2016.02: Dev.I From 2016.11: SRE.
I had to understand how exactly infrastructureworks.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 15: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/15.jpg)
5/22
A container in Linux is ...
Fork/exec with bells & whistles:
I Fancy tarball for distribution.
I COW filesystem to make it start fast.
I Cgroups for fairness.
I Namespaces for isolation.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 16: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/16.jpg)
5/22
A container in Linux is ...
Fork/exec with bells & whistles:
I Fancy tarball for distribution.
I COW filesystem to make it start fast.
I Cgroups for fairness.
I Namespaces for isolation.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 17: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/17.jpg)
5/22
A container in Linux is ...
Fork/exec with bells & whistles:
I Fancy tarball for distribution.
I COW filesystem to make it start fast.
I Cgroups for fairness.
I Namespaces for isolation.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 18: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/18.jpg)
5/22
A container in Linux is ...
Fork/exec with bells & whistles:
I Fancy tarball for distribution.
I COW filesystem to make it start fast.
I Cgroups for fairness.
I Namespaces for isolation.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 19: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/19.jpg)
5/22
A container in Linux is ...
Fork/exec with bells & whistles:
I Fancy tarball for distribution.
I COW filesystem to make it start fast.
I Cgroups for fairness.
I Namespaces for isolation.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 20: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/20.jpg)
5/22
A container in Linux is ...
Fork/exec with bells & whistles:
I Fancy tarball for distribution.
I COW filesystem to make it start fast.
I Cgroups for fairness.
I Namespaces for isolation.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 21: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/21.jpg)
6/22
Table of Contents
IntroductionWhy meA container in Linux is...
NamespacesIsolation in LinuxWhat did we just do
File systems and COW
What did we forget?Leftover elephants in the room
The End
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 22: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/22.jpg)
7/22
We will cover
I User namespaces.
I Pid namespaces.
I Mount namespaces.
I Network namespaces.
I There are more, but not today.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 23: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/23.jpg)
7/22
We will cover
I User namespaces.
I Pid namespaces.
I Mount namespaces.
I Network namespaces.
I There are more, but not today.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 24: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/24.jpg)
7/22
We will cover
I User namespaces.
I Pid namespaces.
I Mount namespaces.
I Network namespaces.
I There are more, but not today.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 25: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/25.jpg)
7/22
We will cover
I User namespaces.
I Pid namespaces.
I Mount namespaces.
I Network namespaces.
I There are more, but not today.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 26: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/26.jpg)
7/22
We will cover
I User namespaces.
I Pid namespaces.
I Mount namespaces.
I Network namespaces.
I There are more, but not today.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 27: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/27.jpg)
7/22
We will cover
I User namespaces.
I Pid namespaces.
I Mount namespaces.
I Network namespaces.
I There are more, but not today.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 28: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/28.jpg)
8/22
User namespace
Become container-local root.unshare --map-root-user
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 29: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/29.jpg)
9/22
Mount namespace
Hide container mounts.unshare --mount
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 30: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/30.jpg)
10/22
Pid namespace
Hide other pids.unshare --pid --mount-proc --fork
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 31: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/31.jpg)
11/22
Network namespace
Demonstrate this:
I Create namespace.
I Activate loopback (lo).I Create pair of devices veth1a and veth1b:
I veth1b will go to the namespace.I veth1a will stay in default.
I Add ip addresses.
I curl and ping.
I lsof, bind on ports separately.Ever wanted to run tcpdump on an application?
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 32: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/32.jpg)
11/22
Network namespace
Demonstrate this:
I Create namespace.
I Activate loopback (lo).I Create pair of devices veth1a and veth1b:
I veth1b will go to the namespace.I veth1a will stay in default.
I Add ip addresses.
I curl and ping.
I lsof, bind on ports separately.Ever wanted to run tcpdump on an application?
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 33: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/33.jpg)
11/22
Network namespace
Demonstrate this:
I Create namespace.
I Activate loopback (lo).
I Create pair of devices veth1a and veth1b:
I veth1b will go to the namespace.I veth1a will stay in default.
I Add ip addresses.
I curl and ping.
I lsof, bind on ports separately.Ever wanted to run tcpdump on an application?
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 34: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/34.jpg)
11/22
Network namespace
Demonstrate this:
I Create namespace.
I Activate loopback (lo).I Create pair of devices veth1a and veth1b:
I veth1b will go to the namespace.I veth1a will stay in default.
I Add ip addresses.
I curl and ping.
I lsof, bind on ports separately.Ever wanted to run tcpdump on an application?
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 35: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/35.jpg)
11/22
Network namespace
Demonstrate this:
I Create namespace.
I Activate loopback (lo).I Create pair of devices veth1a and veth1b:
I veth1b will go to the namespace.
I veth1a will stay in default.
I Add ip addresses.
I curl and ping.
I lsof, bind on ports separately.Ever wanted to run tcpdump on an application?
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 36: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/36.jpg)
11/22
Network namespace
Demonstrate this:
I Create namespace.
I Activate loopback (lo).I Create pair of devices veth1a and veth1b:
I veth1b will go to the namespace.I veth1a will stay in default.
I Add ip addresses.
I curl and ping.
I lsof, bind on ports separately.Ever wanted to run tcpdump on an application?
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 37: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/37.jpg)
11/22
Network namespace
Demonstrate this:
I Create namespace.
I Activate loopback (lo).I Create pair of devices veth1a and veth1b:
I veth1b will go to the namespace.I veth1a will stay in default.
I Add ip addresses.
I curl and ping.
I lsof, bind on ports separately.Ever wanted to run tcpdump on an application?
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 38: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/38.jpg)
11/22
Network namespace
Demonstrate this:
I Create namespace.
I Activate loopback (lo).I Create pair of devices veth1a and veth1b:
I veth1b will go to the namespace.I veth1a will stay in default.
I Add ip addresses.
I curl and ping.
I lsof, bind on ports separately.Ever wanted to run tcpdump on an application?
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 39: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/39.jpg)
11/22
Network namespace
Demonstrate this:
I Create namespace.
I Activate loopback (lo).I Create pair of devices veth1a and veth1b:
I veth1b will go to the namespace.I veth1a will stay in default.
I Add ip addresses.
I curl and ping.
I lsof, bind on ports separately.
Ever wanted to run tcpdump on an application?
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 40: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/40.jpg)
11/22
Network namespace
Demonstrate this:
I Create namespace.
I Activate loopback (lo).I Create pair of devices veth1a and veth1b:
I veth1b will go to the namespace.I veth1a will stay in default.
I Add ip addresses.
I curl and ping.
I lsof, bind on ports separately.Ever wanted to run tcpdump on an application?
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 41: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/41.jpg)
12/22
Network namespace
default
lo
127.0.0.1
eth0
192.0.2.1
t1
lolo
127.0.0.1
veth1a veth1bveth1a
10.0.0.1
veth1b
10.0.0.2
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 42: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/42.jpg)
12/22
Network namespace
default
lo
127.0.0.1
eth0
192.0.2.1
t1
lo
lo
127.0.0.1
veth1a veth1bveth1a
10.0.0.1
veth1b
10.0.0.2
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 43: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/43.jpg)
12/22
Network namespace
default
lo
127.0.0.1
eth0
192.0.2.1
t1
lolo
127.0.0.1
veth1a veth1bveth1a
10.0.0.1
veth1b
10.0.0.2
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 44: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/44.jpg)
12/22
Network namespace
default
lo
127.0.0.1
eth0
192.0.2.1
t1
lolo
127.0.0.1
veth1a veth1b
veth1a
10.0.0.1
veth1b
10.0.0.2
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 45: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/45.jpg)
12/22
Network namespace
default
lo
127.0.0.1
eth0
192.0.2.1
t1
lolo
127.0.0.1
veth1a veth1bveth1a
10.0.0.1
veth1b
10.0.0.2
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 46: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/46.jpg)
13/22
What did we just do
Created a container:
User namespace apt-get, iptables, mount, etc.
Isolated pids no nobody, isolate from each other.
Isolated mounts e.g. for /tmp.
Isolated network safely bind to :80.
An improvement over ”run and hope it doesn’taffect anything else”.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 47: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/47.jpg)
13/22
What did we just do
Created a container:
User namespace apt-get, iptables, mount, etc.
Isolated pids no nobody, isolate from each other.
Isolated mounts e.g. for /tmp.
Isolated network safely bind to :80.
An improvement over ”run and hope it doesn’taffect anything else”.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 48: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/48.jpg)
13/22
What did we just do
Created a container:
User namespace apt-get, iptables, mount, etc.
Isolated pids no nobody, isolate from each other.
Isolated mounts e.g. for /tmp.
Isolated network safely bind to :80.
An improvement over ”run and hope it doesn’taffect anything else”.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 49: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/49.jpg)
13/22
What did we just do
Created a container:
User namespace apt-get, iptables, mount, etc.
Isolated pids no nobody, isolate from each other.
Isolated mounts e.g. for /tmp.
Isolated network safely bind to :80.
An improvement over ”run and hope it doesn’taffect anything else”.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 50: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/50.jpg)
13/22
What did we just do
Created a container:
User namespace apt-get, iptables, mount, etc.
Isolated pids no nobody, isolate from each other.
Isolated mounts e.g. for /tmp.
Isolated network safely bind to :80.
An improvement over ”run and hope it doesn’taffect anything else”.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 51: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/51.jpg)
13/22
What did we just do
Created a container:
User namespace apt-get, iptables, mount, etc.
Isolated pids no nobody, isolate from each other.
Isolated mounts e.g. for /tmp.
Isolated network safely bind to :80.
An improvement over ”run and hope it doesn’taffect anything else”.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 52: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/52.jpg)
14/22
Table of Contents
IntroductionWhy meA container in Linux is...
NamespacesIsolation in LinuxWhat did we just do
File systems and COW
What did we forget?Leftover elephants in the room
The End
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 53: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/53.jpg)
15/22
File systems and COW
A container:
I Needs a file system.
I Starts quickly regardless of size.
Do not want to copy 1GB with every startup.Copy On Write!lvm? zfs? btrfs?
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 54: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/54.jpg)
15/22
File systems and COW
A container:
I Needs a file system.
I Starts quickly regardless of size.
Do not want to copy 1GB with every startup.Copy On Write!lvm? zfs? btrfs?
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 55: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/55.jpg)
15/22
File systems and COW
A container:
I Needs a file system.
I Starts quickly regardless of size.
Do not want to copy 1GB with every startup.
Copy On Write!lvm? zfs? btrfs?
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 56: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/56.jpg)
15/22
File systems and COW
A container:
I Needs a file system.
I Starts quickly regardless of size.
Do not want to copy 1GB with every startup.Copy On Write!
lvm? zfs? btrfs?
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 57: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/57.jpg)
15/22
File systems and COW
A container:
I Needs a file system.
I Starts quickly regardless of size.
Do not want to copy 1GB with every startup.Copy On Write!lvm? zfs? btrfs?
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 58: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/58.jpg)
16/22
A quick demo
I Create tank/images/debian@latest
I Create tank/containers/t1 from @latest
I unshare --mount --pid --fork chroot . bash
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 59: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/59.jpg)
17/22
Table of Contents
IntroductionWhy meA container in Linux is...
NamespacesIsolation in LinuxWhat did we just do
File systems and COW
What did we forget?Leftover elephants in the room
The End
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 60: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/60.jpg)
18/22
Leftover elephants in the room
I Trivial to escape this ”container”.
I Sec: no leftover file descriptors.
I Resource fairness.
I Sec/DoS: shared kernel resources.
I Supervision, daemonization and cleanup.
I Logging.
I Collect zombie processes.
I Image management.
Should someone else do it?
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 61: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/61.jpg)
18/22
Leftover elephants in the room
I Trivial to escape this ”container”.
I Sec: no leftover file descriptors.
I Resource fairness.
I Sec/DoS: shared kernel resources.
I Supervision, daemonization and cleanup.
I Logging.
I Collect zombie processes.
I Image management.
Should someone else do it?
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 62: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/62.jpg)
18/22
Leftover elephants in the room
I Trivial to escape this ”container”.
I Sec: no leftover file descriptors.
I Resource fairness.
I Sec/DoS: shared kernel resources.
I Supervision, daemonization and cleanup.
I Logging.
I Collect zombie processes.
I Image management.
Should someone else do it?
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 63: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/63.jpg)
18/22
Leftover elephants in the room
I Trivial to escape this ”container”.
I Sec: no leftover file descriptors.
I Resource fairness.
I Sec/DoS: shared kernel resources.
I Supervision, daemonization and cleanup.
I Logging.
I Collect zombie processes.
I Image management.
Should someone else do it?
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 64: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/64.jpg)
18/22
Leftover elephants in the room
I Trivial to escape this ”container”.
I Sec: no leftover file descriptors.
I Resource fairness.
I Sec/DoS: shared kernel resources.
I Supervision, daemonization and cleanup.
I Logging.
I Collect zombie processes.
I Image management.
Should someone else do it?
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 65: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/65.jpg)
18/22
Leftover elephants in the room
I Trivial to escape this ”container”.
I Sec: no leftover file descriptors.
I Resource fairness.
I Sec/DoS: shared kernel resources.
I Supervision, daemonization and cleanup.
I Logging.
I Collect zombie processes.
I Image management.
Should someone else do it?
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 66: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/66.jpg)
18/22
Leftover elephants in the room
I Trivial to escape this ”container”.
I Sec: no leftover file descriptors.
I Resource fairness.
I Sec/DoS: shared kernel resources.
I Supervision, daemonization and cleanup.
I Logging.
I Collect zombie processes.
I Image management.
Should someone else do it?
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 67: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/67.jpg)
18/22
Leftover elephants in the room
I Trivial to escape this ”container”.
I Sec: no leftover file descriptors.
I Resource fairness.
I Sec/DoS: shared kernel resources.
I Supervision, daemonization and cleanup.
I Logging.
I Collect zombie processes.
I Image management.
Should someone else do it?
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 68: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/68.jpg)
18/22
Leftover elephants in the room
I Trivial to escape this ”container”.
I Sec: no leftover file descriptors.
I Resource fairness.
I Sec/DoS: shared kernel resources.
I Supervision, daemonization and cleanup.
I Logging.
I Collect zombie processes.
I Image management.
Should someone else do it?
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 69: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/69.jpg)
18/22
Leftover elephants in the room
I Trivial to escape this ”container”.
I Sec: no leftover file descriptors.
I Resource fairness.
I Sec/DoS: shared kernel resources.
I Supervision, daemonization and cleanup.
I Logging.
I Collect zombie processes.
I Image management.
Should someone else do it?
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 70: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/70.jpg)
19/22
We almost have a container engine
I But look at my conclusions again.
I Devil hides in the details.
I Tooling companies (Docker, CoreOS, etc)raised > $108.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 71: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/71.jpg)
19/22
We almost have a container engine
I But look at my conclusions again.
I Devil hides in the details.
I Tooling companies (Docker, CoreOS, etc)raised > $108.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 72: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/72.jpg)
19/22
We almost have a container engine
I But look at my conclusions again.
I Devil hides in the details.
I Tooling companies (Docker, CoreOS, etc)raised > $108.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 73: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/73.jpg)
19/22
We almost have a container engine
I But look at my conclusions again.
I Devil hides in the details.
I Tooling companies (Docker, CoreOS, etc)raised > $108.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 74: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/74.jpg)
20/22
To recap
I Easy to understand kernel facilities.
I Devil hides in the details.
I Either spend a lot of time and headache, orre-use existing tools.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 75: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/75.jpg)
20/22
To recap
I Easy to understand kernel facilities.
I Devil hides in the details.
I Either spend a lot of time and headache, orre-use existing tools.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 76: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/76.jpg)
20/22
To recap
I Easy to understand kernel facilities.
I Devil hides in the details.
I Either spend a lot of time and headache, orre-use existing tools.
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 77: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/77.jpg)
21/22
Table of Contents
IntroductionWhy meA container in Linux is...
NamespacesIsolation in LinuxWhat did we just do
File systems and COW
What did we forget?Leftover elephants in the room
The End
c© 2016. Uber Technologies Inc. All rights reserved.
![Page 78: Understanding and building Your Own Docker](https://reader036.vdocuments.mx/reader036/viewer/2022070515/5875af711a28ab8b618b5a21/html5/thumbnails/78.jpg)
22/22
We’re hiring!
Uber SRE locations: SF, NYC, Seattle, Vilnius.
I Check out join.uber.com
I Also, contact me at [email protected]
c© 2016. Uber Technologies Inc. All rights reserved.