docker/containers

Tags: computers

Overview

• Build on linux namespaces and cgroups
  • Namespaces segregate the system by allowing each container to have its own view of the system, via process ID’s, network interfaces, etc
  • Control groups segregate the physical hardware between them
  • Capabilities splits the privleages of the root user into distinct units that can be managed
  • seccomp filters system calls made by processes to restrict kernel functionality

Runtimes

• LXC - tools, templates, and library and language bindings that use the kernel containment features directly - https://linuxcontainers.org/
• libcontainer - golang library created for docker that uses the kernel containment features
• runc - portable container runtime that implements the OCI spec, cli wrapper for libcontainer

High Levels

• Docker - container engine, used to use LXC but then switched to libcontainer/runc
• rkt - podnative design that was built by CoreOS (no longer developed)
• containerd - daemon that manages the complete container lifecycle, from image transfer to exec to supervision. Used by kubernetes (k8s) and docker internally
• CRI-o - lightweight container engine specifically for kube, alternative to running kube

Debian

• https://knowledgepill.it/posts/docker_install_upgrade/

Opening Docker Images

• https://github.com/P3GLEG/Whaler
• https://github.com/wagoodman/dive
• https://www.portainer.io
• https://github.com/google/Docker-Explorer
• https://theartofmachinery.com/2021/03/18/reverse_engineering_a_docker_image.html