overlay filesystem and containers

Containers

container is a process running on the host system. 

This process is started by the container runtime from a container image, and the runtime provides a set of tools to manage the container process. 

Namespaces virtualize the container process’s PID, network, root, and users. 

Cgroups help set resource usage limits the container process can consume on the host system, and security contexts enforce permissions the container process has on the host system.

A container, as a runtime object, consumes the typical resources any running process would consume on a system: storage for the file system and any saved configuration files, CPU, memory, and networking to serve traffic to/from external clients, and other containers or devices on the system.


docker run container from image and connect it with shell , install necessary networking tools

docker run -d -it ubuntu:22.10 bash

docker run -d -it --privileged ubuntu:22.10 bash -> if you need to write to filesystem run wit privileged



docker ps -> get "container_id" here


docker exec -it "container_id" bash


apt-get update -> update packages


sudo apt install -y cgroup-tools -> install cgroups

lscgroup

apt install iproute2

sudo apt install iputils-ping


sudo apt install -y unionfs-fuse -> install union filesystem



docker container commit 0be65324b69e ubu:01 -> create image from existing container with copying it's ephemeral storage


docker search nginx -> search images from command line


docker stats -> see resource usage for containers


docker network ls
docket network inspect nw_id

docker container diff container_id -> see all changes filesystem of container


docker network create -d bridge --attachable mynet -> create new network with bridge driver


docker network inspect mynet -> see subnet and gateway


docker container run -it --network=none alpine sh -> run container without network


Docker storage drivers for your needs


https://docs.docker.com/storage/storagedriver/select-storage-driver/



docker system df -> host system storage info 


creating virtual ethernet device peers

https://manpages.ubuntu.com/manpages/jammy/man4/veth.4.html



nice explanation about overlay filesystem which containers are using


https://www.youtube.com/watch?v=DfENwtNRlD4


Security


Running container processes inherit their permissions from the user who is running the container engine – often as a daemon. As a result, one of the security best practices is to ensure the container engine and runtime are not run with root privileges, but run by regular non-root users.


Podman, in contrast to Docker, does not rely on a daemon, and it supported both rootless and rooted modes since its early days, the reason it was introduced as a more secure containerization tool than the more popular Docker Engine


Docker, or Podman and Buildah, are capable of content trust signature verification to ensure only signed images are run as containers by the runtime.


it is a clear security risk to allow a container process to run in rooted mode giving it full access over host resources.


it can be addressed with capabilities. A complex method indeed, capabilities replace the need for full root access of a container process with a controlled and limited root access that can be managed and set at a very granular level. The benefit of capabilities is that the container process will only receive the needed amount of privileges over the resources of the host that are critical for the container’s operations. All other resources will be accessed as a regular user with unprivileged restricted permissions.


AppArmor,Seccomp can be used to limit usage of host resources

Comments

Post a Comment

Popular posts from this blog

Pyppeteer fix for BrowserError: Browser closed unexpectedly

if you are having an error related with Pyppeteer   BrowserError: Browser closed unexpectedly   is just the error you get when Chrome crashes for whatever reason. It would be nice if pyppeteer printed out the error, but it doesn't. To track things down, it's helpful to pull up the exact command that pyppeteer runs. You can do that this way: from pyppeteer.launcher import Launcher ' '.join(Launcher().cmd) run output from command line and find missing libraries and install it.
Read more

How to add pagination to django comments for your model

First step is import Comment and ContentType to your view like below from django.contrib.comments.models import Comment from django.contrib.contenttypes.models import ContentType Second step is defining your model which you want to paginate its comments content_type_id= ContentType.objects.get_for_model( YOUR_MODEL_NAME ) Last get comments of specific instance of your model class with defining object_pk as filter parameter comments = Comment.objects.filter(content_type=content_type_id,object_pk=quote_id) here is complete view code from django.core.paginator import Paginator, InvalidPage, EmptyPage from django.contrib.comments.models import Comment from django.contrib.contenttypes.models import ContentType def quote_show_page(request,quote_id): quote = get_object_or_404(Quote, id=quote_id) content_type_id=ContentType.objects.get_for_model(Quote) comments = Comment.objects.filter(content_type=content_type_id,object_pk=quote_id) paginator = Paginator(comments, 5) # Show 5 comments pe...
Read more

Django project and Perfect setup of nginx config for www to nonwww and http to https and ip to domain redirects

Here I am sharing good setup of nginx config for following requirements. before following config you need to create 2 A record for both domain to ip and www.domain to ip in your dns provider. also for django settings file you can add domain and www.domain to ALLOWED_HOSTS http to https www to nonwww https://ip to domain http://ip to domain redirects place following config to your sites-enabled config file server {   listen 80;   listen 443 ssl;   server_name yourserverip;   ssl_certificate /home/yourdomain.com.crt;   ssl_certificate_key /home/yourdomain.com.key;   add_header X-Frame-Options "SAMEORIGIN";   return 301 https://yourdomain.com$request_uri; } server {     listen 443 ssl;     server_name yourdomain.com;     ssl_certificate /home/yourdomain.com.crt;     ssl_certificate_key /home/yourdomain.com.key;     ssl_protocols TLSv1.2 TLSv1.1 TLSv1;     ssl_prefer_server_ciphers on;   ...
Read more