Scribd
Upload
334 views37 pages

Container Internals Lab Presentation

This document discusses the internals of Linux containers. It begins by correcting some common misconceptions, noting that containers are processes that run on the Linux kernel, not within Docker. It then outlines the typical architecture involving container images, the Docker daemon, and orchestration tools on multiple hosts. Key components that enable containers are described as Linux namespaces, cgroups, SELinux, and various userspace libraries and tools. Standards around container images, runtimes, and networking are also discussed.

Uploaded by

Manoj Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
334 views37 pages

Container Internals Lab Presentation

This document discusses the internals of Linux containers. It begins by correcting some common misconceptions, noting that containers are processes that run on the Linux kernel, not within Docker. It then outlines the typical architecture involving container images, the Docker daemon, and orchestration tools on multiple hosts. Key components that enable containers are described as Linux namespaces, cgroups, SELinux, and various userspace libraries and tools. Standards around container images, runtimes, and networking are also discussed.

Uploaded by

Manoj Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 37

L1051/L1052 - LINUX CONTAINER

INTERNALS
How they really work

Scott McCarty, 5/21/2018


ARCHITECTURE
ARCHITECTURE
The Internet is WRONG :-)

Important corrections
● Containers do not run ON docker.
Containers are processes - they run
on the Linux kernel. Containers are
Linux.
● The docker daemon is one of the
many user space tools/libraries that
talks to the kernel to set up
containers

3 Scott McCarty, Twitter: @fatherlinux


Production-Ready Containers
What are the building blocks you need to think about?

4 Scott McCarty Twitter: @fatherlinux Blog: bit.ly/fatherlinux


TYPICAL ARCHITECTURE
Bringing it All Together

In distributed systems, the user must interact through APIs

5 Scott McCarty, Twitter: @fatherlinux


CONTAINERS ARE LINUX
The Libraries, and Data Structures

Userspace libraries interact with the kernel


to isolate processes
● Libraries
○ LXC, LXD, LibContainer,
systemd nspawn, LibVirt
● Kernel Data Structures
○ Name Spaces
○ Cgroups
○ SELinux

6 Scott McCarty, Twitter: @fatherlinux


THE USER SPACE TOOL CHAIN
On a Single Host

The user space tool chain adds the


following:
● A local daemon
● Simple CLI/REST interface
● Support for container images (OCI)
and connection to registries

7 Scott McCarty, Twitter: @fatherlinux


THE ORCHESTRATION TOOLCHAIN
On Multiple Hosts

The orchestration toolchain adds the


following:
● More daemons (it’s a party) :-)
● Scheduling across multiple hosts
● Application Orchestration
● Distributed builds (OpenShift)
● Registry (OpenShift)

8 Scott McCarty, Twitter: @fatherlinux


THE COMMUNITY LANDSCAPE
Open Source, Leadership & Standards

The landscape is made up of committees,


standards bodies, and open source
projects:
● Docker/Moby
● Kubernetes/OpenShift
● OCI Specifications
● Cloud Native Technical Leadership

9 Scott McCarty, Twitter: @fatherlinux


OVERVIEW OF THE DIFFERENT STANDARDS
Vendor, Community, and Standards Body driven

Many different standards

10 Scott McCarty Twitter: @fatherlinux Blog: bit.ly/fatherlinux


WORKING TOGETHER
Standards in different places achieve different goals

Different standards are focused on


different parts of the stack.
● Container Images & Registries
● Container Runtimes
● Container Networking

11 Scott McCarty Twitter: @fatherlinux Blog: bit.ly/fatherlinux


CONTAINER IMAGES
Fancy Files
People forget about Glibc...

Scott McCarty Twitter: @fatherlinux Blog: bit.ly/fatherlinux


Container Images
Virtual machines and container environments

Scott McCarty Twitter: @fatherlinux Blog: bit.ly/fatherlinux


Fancy Files
Actually, they are layers...

Scott McCarty Twitter: @fatherlinux Blog: bit.ly/fatherlinux


Fancy File Servers
Actually, they are repositories

Scott McCarty Twitter: @fatherlinux Blog: bit.ly/fatherlinux


Fancy Files
How do we currently collaborate in the user space?

Scott McCarty Twitter: @fatherlinux Blog: bit.ly/fatherlinux


Fancy Files
The future of collaboration in the user space....

Scott McCarty Twitter: @fatherlinux Blog: bit.ly/fatherlinux


Fancy Files
The future of collaboration in the user space....

Scott McCarty Twitter: @fatherlinux Blog: bit.ly/fatherlinux


CONTAINER HOST
Fancy Processes
People forget about Glibc...

Scott McCarty Twitter: @fatherlinux Blog: bit.ly/fatherlinux


Linux Containers
Fancy Processes

Regular Linux Process

Containerized Process

Scott McCarty Twitter: @fatherlinux Blog: bit.ly/fatherlinux


Containerized Processes
Starting the process with namespaces, cgroups, and security controls

Scott McCarty Twitter: @fatherlinux Blog: bit.ly/fatherlinux


Containerized Processes
Starting the process in a namespace

Scott McCarty Twitter: @fatherlinux Blog: bit.ly/fatherlinux


Containerized Processes
The containerized process still use the underlying kernel abstractions...

Scott McCarty Twitter: @fatherlinux Blog: bit.ly/fatherlinux


Mounts
Copy on write vs. bind mounts

Scott McCarty Twitter: @fatherlinux Blog: bit.ly/fatherlinux


CONTAINER ORCHESTRATION
Application Containers
This is what most people think of with Docker

RED HAT AND CONTAINERS - CONFIDENTIAL - NDA REQUIRED


Container Orchestration
Multiple nodes changes everything

RED HAT AND CONTAINERS - CONFIDENTIAL - NDA REQUIRED


Container Orchestration
You can hack a solution together yourself, but it’s ugly...

RED HAT AND CONTAINERS - CONFIDENTIAL - NDA REQUIRED


Kubernetes/OpenShift
This Standardizes Everything

RED HAT AND CONTAINERS - CONFIDENTIAL - NDA REQUIRED


The Daemons
Bringing it All Together

User -> OpenShift -> Docker -> Kernel

32 Scott McCarty, Twitter: @fatherlinux


THE LOGIC
Bringing it All Together

33 Scott McCarty, Twitter: @fatherlinux


THANK YOU
plus.google.com/+RedHat facebook.com/redhatinc

linkedin.com/company/red-hat twitter.com/RedHatNews

youtube.com/user/RedHatVideos
AGENDA
L103118 - Linux container internals

10:15AM—10:25AM 11:35AM—12:05PM
INTRODUCTION CONTAINER ORCHESTRATION

10:25AM—10:40AM 12:05PM—12:15PM
ARCHITECTURE CONCLUSION

10:40AM—11:05AM
CONTAINER IMAGES

11:05AM—11:35PM
CONTAINER HOSTS

35 Scott McCarty, Twitter: @fatherlinux


Materials
The lab is made up of multiple documents and a GitHub repository

● Presentation (Google Presentation): http://bit.ly/2pYAI9W


● Lab Guide (this document): http://bit.ly/2mIElPG
● Exercises (GitHub): http://bit.ly/2n5NtPl

36 Scott McCarty, Twitter: @fatherlinux


CONTACT INFORMATION
We All Love Questions

● Jamie Duncan: @jamieeduncan [email protected]


● Billy Holmes: @gonoph111 [email protected]
● John Osborne: @openshiftfed [email protected]
● Scott McCarty: @fatherlinux [email protected]

37 Scott McCarty, Twitter: @fatherlinux

You might also like