Docker introduction

1EMC CONFIDENTIAL—INTERNAL USE ONLY
Docker Introduction
Layne

$ uname -a
> No ops introduction
> No codes
> No Docker network (next time?)
> No Docker storage (Dockerone,
Vivian)
> One target: what is Docker?
> StarII program. Thanks for
being here.

$ ls –al ./
> $ man Docker
> $ man cgroup
> $ man namespaces
> User namespaces?
> Security your Docker
> $man UnionFS
> $man docker-layer

$ cat Docker
ＯS Virtualization

$ cat Docker
ＯS Virtualization
• Virtual machine emulates everything, including hardware
• Container isolates processes, users and filesystem.

$ cat Docker
LXC + Union FS

$ cat Docker
LXC + Union FS
cgroup + namespaces + Union FS

$ which Isolation
What is Isolation?

$ pstree -p

$ man cgroup
• Limit, account, and isolate resource usage (CPU, memory, disk I/O, and more)
of process groups:
– Resource limiting: groups can be set to not exceed a set memory limit;
– Prioritization: some groups may get larger share of CPU or disk I/O
throughput;
– Accounting: to measure how much resource certain systems use;
– Control: freezing groups or checkpoint and restart

$ man cgroup

$ man cgroup
Monitor resource inside a container?
Or: vmstat, iostat…

$ man cgroup
Or: docker stats c7e8b77f5d84

$ man namespaces
• UTS: isolate node-name and domain-name—returned by the uname()
system call
• Network: provide isolation of the system resources associated with
networking, including own network devices, IP addresses, IP routing tables,
/proc/net directory, port numbers, and so on.
• PID: isolate the process ID number space.
• Mount: isolate the set of filesystem mount points seen by a group of
processes. Thus, processes in different mount namespaces can have different
views of the filesystem hierarchy.
• IPC: isolate certain inter-process communication (IPC) resources, namely,
System V IPC objects and POSIX message queues.
• User: isolate the user and group ID number spaces. In other words, a
process's user and group IDs can be different inside and outside a user
namespace.

$ pstree -p

$ man namespaces
docker run -it -m 256m --net=container:09f40c99ea5c
ubuntu:14.04 /bin/bash

$ man namespaces

Network namespaces

Wait, why same host name?

Why say no User namespaces (yet)?

Why say no User namespaces (yet)?
ID-inside-ns ID-outside-ns length

Security your Docker
• No “--privileged=true”
• GID_Mapping/UID_Mapping with LXC driver;
• SELinux or AppArmor
• Libseccomp
• Capabilities
• ...
See: https://github.com/GDSSecurity/Docker-Secure-Deployment-Guidelines

Security your Docker

Conclusion of Isolation
–What is Isolation?
–Why we feel Docker is excellent?

$ man UnionFS
It allows files and directories of separate file
systems, known as branches, to be
transparently overlaid, forming a single
coherent file system. Contents of directories
which have the same path within the
merged branches will be seen together in a
single merged directory, within the new,
virtual filesystem.
When mounting branches, the priority of
one branch over the other is specified. So
when both branches contain a file with the
same name, one gets priority over the other.
The different branches may be both read-only and read-write file systems, so that writes to the virtual,
merged copy are directed to a specific real file system. This allows a file system to appear as writable, but
without actually allowing writes to change the file system, also known as copy-on-write.

$ man docker-layer
• Each layer of the FS is mounted on top of prior layers
• The first layer is the base image
• Current base images include debian, ubuntu, busybox,
fedora, cent os, etc
• Each read-only layer is called an image (A layer is just
a collection of files and folders!)
• The top layer is the only modifiable layer - it’s termed
the container

$ man docker-layer

$ (reverse-i-search)`cat': cat Docker
cgroup + namespaces + Union FS

$ ls -AF |grep '^.'
curl http://10.32.105.223/add_certs | sudo sh
(Only worked in Ubuntu currently)

Docker introduction

More Related Content

What's hot (20)

Viewers also liked (8)

Similar to Docker introduction (20)

Recently uploaded (20)

Docker introduction