Linux Containers From Scratch
-
Upload
joshuasoundcloud -
Category
Technology
-
view
1.653 -
download
4
description
Transcript of Linux Containers From Scratch
![Page 1: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/1.jpg)
Joshua Hoffman
Linux Containers From Scratch
Velocity Europe 2014
![Page 2: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/2.jpg)
Recommended mirror:
http://ftp.es.debian.org
SETUP
Install packages:
● vim● screen● lftp● busybox-static● systemd● yum● qemu-utils● aufs-tools● pbzip2● htop
INSTALL PACKAGES
![Page 3: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/3.jpg)
1. Edit /etc/default/grub
change the line:
GRUB_CMDLINE_LINUX=""
to:
GRUB_CMDLINE_LINUX="init=/bin/systemd"
2. Run the grub updater:
update-grub2
3. Reboot
SETUPCONFIGURE SYSTEMD
![Page 4: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/4.jpg)
THE CLOUDLINUX CONTAINERS
![Page 5: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/5.jpg)
THE CLOUDLINUX CONTAINERS
FREE LUNCH
![Page 6: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/6.jpg)
DO NOT EXIST
![Page 7: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/7.jpg)
IDEASNOT
THINGS
![Page 8: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/8.jpg)
PORTABILITY
![Page 9: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/9.jpg)
ISOLATION
![Page 10: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/10.jpg)
VIRTUALMACHINE
ENVIRONMENT
![Page 11: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/11.jpg)
A logically isolated virtual environment.
A Linux Container
![Page 12: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/12.jpg)
FUNDAMENTALLY DIFFERENT THAN
VIRTUAL MACHINES
![Page 13: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/13.jpg)
TRANSPARENT
![Page 14: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/14.jpg)
Running in a Virtual Machine
# ps x
PID TTY STAT TIME COMMAND
689 ? R 1:06 qemu-kvm
as viewed from the host os
![Page 15: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/15.jpg)
Running in a Linux Container
# ps x
PID TTY STAT TIME COMMAND
5347 ? R 2:22 unicorn_rails master -D -c kiffen.rb
as viewed from the host os
![Page 16: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/16.jpg)
NAMESPACES
![Page 17: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/17.jpg)
NAMESPACES:NETWORK
![Page 18: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/18.jpg)
NETWORK NAMESPACE
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP qlen 1000
link/ether 00:01:2e:3b:be:14 brd ff:ff:ff:ff:ff:ff
inet 10.21.0.22/24 brd 10.21.0.255 scope global br0
inet6 fe80::201:2eff:fe3b:be14/64 scope link
valid_lft forever preferred_lft forever
as viewed from iproute2
![Page 19: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/19.jpg)
NAMESPACES:MOUNT
![Page 20: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/20.jpg)
MOUNT NAMESPACE
$ ls /
bin etc lib media proc sbin sys var
boot home lib64 mnt root selinux tmp
dev lost+found opt run srv usr
as viewed from ls
![Page 21: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/21.jpg)
NAMESPACES:PID
![Page 22: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/22.jpg)
PID NAMESPACE
# ps x
PID TTY STAT TIME COMMAND
5347 ? R 2:22 unicorn_rails master -D -c kiffen.rb
as viewed from ps
![Page 23: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/23.jpg)
CGROUPS
![Page 24: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/24.jpg)
CGROUPS
# ls -F /sys/fs/cgroup/
blkio/ cpu@ cpuacct@ cpu,cpuacct/ cpuset/ devices/ freezer/ net_cls/ perf_event/ systemd/
# ls -F /sys/fs/cgroup/cpuset
cpuset.mem_exclusive cgroup.procs
cpuset.memory_migrate cpuset.mems
cpuset.cpu_exclusive tasks cpuset.cpus
(...output truncated…)
as viewed from ls
![Page 25: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/25.jpg)
DEMO:exploring containers
with busybox
![Page 26: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/26.jpg)
Minimal Busybox Container
# mkdir -p {minimal,minimal/usr}/{bin,sbin,etc}
# for x in $(busybox --list-full); do
> ln -s /bin/sh minimal/$x; done
# cp -f /bin/busybox minimal/bin/sh
# touch minimal/etc/os-release
![Page 27: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/27.jpg)
Running The Container
Private mount namespace:
# chroot minimal /bin/sh
Private mount and pid namespace
# systemd-nspawn -Dminimal /bin/sh
Private mount, pid, and network namespace
# systemd-nspawn --private-network -Dminimal /bin/sh
![Page 28: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/28.jpg)
DEMO:building a container
image with cpio
![Page 29: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/29.jpg)
Build A Container Image With cpio
# find minimal -print | cpio -o |
> pbzip2 -c > minimal.cpio.bz2
# ls -lh minimal.cpio.bz2
-rw-r--r-- 1 root root 852K Nov 18 12:48 minimal.cpio.bz2
![Page 30: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/30.jpg)
DEMO: limiting cpu access
with cgroups
![Page 31: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/31.jpg)
Limiting CPU Access With cgroups
# dd if=/dev/urandom of=datafile bs=1M count=100
# time pbzip2 -k -9 datafile
# mkdir /sys/fs/cgroup/cpuset/my_cpuset
# echo 0 > /sys/fs/cgroup/cpuset/my_cpuset/cpuset.cpus
# echo 0 > /sys/fs/cgroup/cpuset/my_cpuset/cpuset.mems
# echo $$ > /sys/fs/cgroup/cpuset/my_cpuset/tasks
# time pbzip2 -k -9 datafile
![Page 32: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/32.jpg)
DEMO:connect a container
to the network
![Page 33: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/33.jpg)
Connect The Network With iproute2
# ip netns add minimal
# ip link add eth1 type veth peer name veth1
# ip link set eth1 netns minimal
# ip a add 10.0.0.1/24 dev veth1
# ip l set veth1 up
# ip netns exec minimal chroot minimal /bin/sh
(in the container)
# ip a add 10.0.0.2/24 dev eth1
# ip l set eth1 up
![Page 34: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/34.jpg)
DEMO:installing a service
stack with yum
![Page 35: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/35.jpg)
Create a file called yum.conf with the following contents:[main]
cachedir=/var/cache/yum
keepcache=1
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
[base]
name=CentOS-7 - Base
#mirrorlist=http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os
baseurl=http://192.168.56.1/centos/
gpgcheck=0
enabled=1
SETUPCONFIGURE YUM
![Page 36: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/36.jpg)
Install A Service Stack With yum
# mkdir -p /lcfs/ftp_stack
# yum -c yum.conf --installroot=/lcfs/ftp_stack \
> install vsftpd
# ip netns exec minimal chroot /lcfs/ftp_stack /bin/bash
(in the container)
# /sbin/vsftpd
![Page 37: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/37.jpg)
DEMO:splitting a container
image into layers with aufs
![Page 38: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/38.jpg)
Container Layers With aufs
# mkdir -p /lcfs/base_stack
# yum -c yum.conf \
> --installroot=/lcfs/base_stack install basesystem
# cp yum.conf /lcfs/base_stack/etc/
# rm /lcfs/base_stack/etc/yum.repos.d/*repo
# mkdir /lcfs/{app_stack,tmp_stack}
# mount -t aufs -obr=/lcfs/app_stack:/lcfs/base_stack none \
> /lcfs/tmp_stack
# yum --installroot=/lcfs/tmp_stack install vsftpd
![Page 39: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/39.jpg)
DEMO:install a full os with
yum
![Page 40: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/40.jpg)
Install A Full OS With yum
# mkdir -p /lcfs/centos-rootfs
# yum -c yum.conf --installroot=/lcfs/centos-rootfs \
> groupinstall core
# chroot /lcfs/centos-rootfs
# passwd (set a new password)
# vi /etc/pam.d/session (comment these out lines)
session required pam_selinux.so close
session required pam_loginuid.so
session required pam_selinux.so open
![Page 41: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/41.jpg)
Run A Full OS Container
# systemd-nspawn --private-network -D/lcfs/centos-rootfs
![Page 42: Linux Containers From Scratch](https://reader034.fdocuments.in/reader034/viewer/2022052508/559445061a28ab06308b4862/html5/thumbnails/42.jpg)