For almost two years, our Prague IT hub has supported external tech meetups and communities so that our employees have an opportunity to meet and actively participate with experts in their field. On February 13th, 25 people attended the fifth Prague Containers Meetup at our Five building.
This session provided more hands on experience and focused on building a personal container runtime, an alternative to Docker. During the session, attendees went through the kernel container plumbing as namespaces, cgroups, and seccomp filters.
Linux kernel namespaces got the most attention and the first one we looked at was “user namespaces.” These enable the creation of user maps and user priviledge escalation by granting CAP_SYS_ADMIN capability. This allows the user to escalate themselves to root user in the newly created user namespace and create other namespaces.
Next we introduced the “network namespace” which enables containers to isolate themselves from “host” networking and create their own network setup. Then we explored the “process namespace” and showed how you can isolate information about processes running in a container, from a “host” processes.
Finally we looked at the “mount namespace” which is the oldest piece of the kernel and enables the container engine to isolate the filesystem from the host. We ended the session by showing the “pivot_root” syscall. This command enables containers to turn their root directory into a properly mounted filesystem inside its mount namespace.
All of our session attendees learned how the kernel container plumbing works and created a PoC for a very small container runtime. This can be extended later into being a proper debug tool for containers.
Special thanks to Jakub Veverka and David Becvarik for running this community and organizing such great meetups. We are looking forward to welcoming you again soon.