Containers – A Look Under the Hood - Gerlof Langeveld, AT Computing
There are many implementations available to run containerized applications, such as Docker, CRI-O and Podman. All implementations depend on distinct features that are offered by the Linux kernel. Knowledge about these features helps you to understand how containerized applications operate under the hood and eventually helps with debugging. Gerlof covers three kernel features that are the foundation of the container concept: 1. Kernel namespaces, used to isolate a process from the other processes running on the same host. 2. Process-related root directory, that enables an application process to have its own private mini-filesystem, just containing the files that are needed to run that process. 3. Capabilities, used to determine the special privileges for a process, independent of the fact whether the process runs under root identity (uid 0) or not. Gerlof also explains the relation of these features with particular parameters that are used for container platforms, like ‘--pid=host’ (namespaces) or ‘--cap-add=...’ (capabilities) when using Docker. During this workshop you gain hands-on experience by building a containerized application, just by using standard Linux commands.