Kevin Boone

Home Contact CV Software Articles

🔍

Container from scratch: building a Linux container from the ground up

It's all about containers these days. Containers are a fundamental part of the microservices model of development, providing isolated runtimes for application components. Containers can run one operating system version inside another, maintain self-contained applications that would otherwise conflict with their hosts, and allow multiple versions of the same application to be tested on the same machine.

In the Linux world, there are many technologies for building and running containers: LXC, Docker, buildah, podman, and others. If containers are useful, then assemblies of containers are even more useful. There are a number of frameworks for orchestrating large numbers of containers -- Kubernetes is probably the best-known.

Container managers like podman seem hugely sophisticated and, indeed, they are. However, the core features that all these tools rely on are, in fact, built into the Linux kernel already. What the tools really do is to provide convenient, friendly interfaces to kernel services like namespaces, virtual networks, and control groups.

This series of articles sets out to demonstrate how a Linux container infrastructure works, using only command-line tools. We won't be able to build general-purpose, production-quality container tooling this way, but we will be able to understand exactly how the mainstream tools do what they do.

If you want to run the demonstrations in these articles you'll need the following:

• a relatively modern Linux system with cgroups and namespaces enabled in the kernel. In most modern distributions this support is enabled by default, but in some cases (Raspberry Pi in particular) you will need additional set-up. I've tested the demonstrations on Fedora 30 and Devuan 'Beowulf'. I suspect any relatively mainstream Linux from the last five years or so will be fine. You'll need the command-line utilities unshare and ip for some of the demonstrations;

• a way to run commands in separate sessions -- two terminal sessions on a Linux desktop will be sufficient;

• you'll need root access on the Linux system;

• if you want to prove that memory control works by running the sample C code I provide later, you'll need a C compiler, such as gcc.

These articles assume a fairly high level of Linux knowledge. I assume that the reader is comfortable working at the command line, and doing configuration by editing text files. I've really written these articles for developers and administrators who already use tools like podman, and want to know more about how they work. If you've never used containers before, this probably isn't the place to start -- I'd suggest getting familiar with podman as a first step.

---

• Table of contents
• Next: Using cgroups to manage process resources

Categories: Linux, containers Last update Oct 12 2020