Skip to content

Praveen005/containers-from-scratch

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
.gitignore
.gitignore
 
 
Readme.md
Readme.md
 
 
go.mod
go.mod
 
 
main.go
main.go
 
 
ubuntufs.tar
ubuntufs.tar
 
 

Repository files navigation

Code is from this Talk from GoTo 2018

Namespaces:

  • It is a concept used in computing to create isolated environments.

  • Containers use namespaces to create isolated environments for running applications.

  • Namespaces is where we limit what a process can see.

  • Created with syscalls

  • This is a big part of a container, it makes a container what it is, restricting the view the processes have of the host machine.

Following are different types of namespaces:

- Unix Timesharing System 
- Process IDs 
- Mounts 
- Network 
- User IDs 
- InterProcess Comms

Working of container:

  1. Encapsulation into a container:

The entity that encapsulates these namespaces into what we call a "container" is not a single technological component, but rather the container runtime (like Docker). The runtime creates and manages these namespaces together, along with other isolation features like cgroups.

  1. Functioning inside a container:

While each namespace isolates a particular aspect of the system, they work together within the container to provide a complete, isolated environment. Here's how:

  • UTS namespace: Isolates hostname and domain name

  • PID namespace: Provides an isolated process tree

  • Network namespace: Isolates network interfaces, routing tables, etc.

  • Mount namespace: Provides an isolated file system view

  • IPC namespace: Isolates inter-process communication resources

  • User namespace: Isolates user and group ID number spaces

These namespaces aren't completely separate; they interact with each other within the confines of the container.

  1. Container Creation Process:

    When a container is created:

    • The container runtime creates new instances of each required namespace

    • It then launches the container's init process (e.g., your application) within these namespaces

    • This init process becomes PID 1 in the container's PID namespace

    CGroups

  • What you can use

  • Configured using pseudo filesystem interface(so, it is another set of what look like directories and files, but we can manipulate them to set properties that we want kernel to understand, and the Kernel will write information into the filesystem, so we can read it back again)

    • Memory
    • CPU
    • I/O
    • Process numbers

If Namespaces restrict what we can see drom inside a container, CGroups limits the resources that we can use.

CGroups basically talks about how much memory, CPU, I/O bandwidth we can use also how many processes are allowed to in a container.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages