overlay filesystem and containers
Containers
A container is a process running on the host system.
This process is started by the container runtime from a container image, and the runtime provides a set of tools to manage the container process.
Namespaces virtualize the container process’s PID, network, root, and users.
Cgroups help set resource usage limits the container process can consume on the host system, and security contexts enforce permissions the container process has on the host system.
A container, as a runtime object, consumes the typical resources any running process would consume on a system: storage for the file system and any saved configuration files, CPU, memory, and networking to serve traffic to/from external clients, and other containers or devices on the system.
docker run container from image and connect it with shell , install necessary networking tools
docker run -d -it ubuntu:22.10 bash
docker run -d -it --privileged ubuntu:22.10 bash -> if you need to write to filesystem run wit privilegeddocker ps -> get "container_id" here
docker exec -it "container_id" bash
apt-get update -> update packages
sudo apt install -y cgroup-tools -> install cgroups
apt install iproute2
sudo apt install iputils-ping
sudo apt install -y unionfs-fuse -> install union filesystem
docker container commit 0be65324b69e ubu:01 -> create image from existing container with copying it's ephemeral storage
docker search nginx -> search images from command line
docker stats -> see resource usage for containers
docker network lsdocket network inspect nw_id
docker container diff container_id -> see all changes filesystem of container
docker network create -d bridge --attachable mynet -> create new network with bridge driver
docker network inspect mynet -> see subnet and gateway
docker container run -it --network=none alpine sh -> run container without network
Docker storage drivers for your needs
https://docs.docker.com/storage/storagedriver/select-storage-driver/
docker system df -> host system storage info
creating virtual ethernet device peers
https://manpages.ubuntu.com/manpages/jammy/man4/veth.4.html
nice explanation about overlay filesystem which containers are using
docker container diff container_id -> see all changes filesystem of container
docker network create -d bridge --attachable mynet -> create new network with bridge driver
docker network inspect mynet -> see subnet and gateway
docker container run -it --network=none alpine sh -> run container without network
Docker storage drivers for your needs
https://docs.docker.com/storage/storagedriver/select-storage-driver/
docker system df -> host system storage info
https://www.youtube.com/watch?v=DfENwtNRlD4
Security
Running container processes inherit their permissions from the user who is running the container engine – often as a daemon. As a result, one of the security best practices is to ensure the container engine and runtime are not run with root privileges, but run by regular non-root users.
Podman, in contrast to Docker, does not rely on a daemon, and it supported both rootless and rooted modes since its early days, the reason it was introduced as a more secure containerization tool than the more popular Docker Engine
Docker, or Podman and Buildah, are capable of content trust signature verification to ensure only signed images are run as containers by the runtime.
it is a clear security risk to allow a container process to run in rooted mode giving it full access over host resources.
it can be addressed with capabilities. A complex method indeed, capabilities replace the need for full root access of a container process with a controlled and limited root access that can be managed and set at a very granular level. The benefit of capabilities is that the container process will only receive the needed amount of privileges over the resources of the host that are critical for the container’s operations. All other resources will be accessed as a regular user with unprivileged restricted permissions.
AppArmor,Seccomp can be used to limit usage of host resources
Comments