Users

• System includes all users
• All users can see each other (who)
• All processes are visible (ps aux)

Filesystem & Access Control

• All users share the same filesystem
• Permissions/ownership control which files are accessible to which users
• path → file/directory

Dependency Management

Dependencies

• Dynamic libraries (which version?, is it installed?)
• Services (databases, webservers, GUI frameworks)

root

• Universal access

Application Development History^*

90s - bespoke, targeted development

• Compile everything together
• Static libraries, or dynamic libraries for an OS version

00s - frameworks, and increased application complexity

• Webserver/DB/Business logic
• Frameworks w/ library/language dependencies
• “dependency hell”
• Growth of VMs as unit of “application”

Application Development History II

10s - Applications via composition

• Coordination between components
• App development via library/service composition
• Languages with package management (but C dependencies)
• Growth of Containers as unit of “application”
• DevOps curate dev vs. production

Now - Assumed containers for distribution

• Containers + Kubernetes
• DevOps job of developers
• NP-complete dependency resolution in languages

App = Program + Dependencies

Separate System Namespaces

Namespace Definition

A Name is often a string or integer used to uniquely identify or address a resource.

A Namespace is the set of these Names.

Name Examples:

• filesystem paths
• process pids
• internet URLs

UNIX Namespaces

What are UNIX namespaces? In Linux: read more in man namespaces.

• pid_namespaces(7) - Process IDs
• user_namespaces(7) - User IDs/Group IDs
• mount_namespaces(7) - Filesystem namespaces
• ipc_namespaces(7) - System V IPC/POSIX message queue IDs
• network_namespaces(7) - Networking identity and addresses
• uts_namespaces(7) - System identity (hostname)

The unshare system call unshares namespaces in the next forked child.

pid Example

Containers can have overlapping pids, and cannot address other container’s pids!

$ whoami
root
$ kill -9 1234

…cannot kill 1234 if it is in another container!

unshare(CLONE_NEWPID);
if (fork() == 0) {
    assert(getpid() == 1);
    execv("/bin/init");
}

User Example

• Each container can have a root!
• User 1234 in one container is not the same user in another!

unshare(CLONE_NEWUSER);
if (fork() == 0) {
    setuid(0); /* I'm root now!...in my own little domain */
    assert(getuid() == 0);
    execv("/bin/init");
}

Filesystem Example

chroot(path) - Set the / of the FS for this process to be path.

Now all files I can access are in the subdirectory path.

chroot("/home/gparmer/myroot/");
chdir("/");
unshare(CLONE_NEWPID | CLONE_NEWUSER);
if (fork() == 0) {
    /* assuming `init` was originally in /home/gparmer/myroot/bin/init */
    execv("/bin/init");
}

Linux uses pivot_root(new_root, old_path) (link) instead of chroot (why). See the code in Docker.

Docker is a service

Docker Orchestration

Service (daemon) created by systemd

• dockerd

• awaits commands on a domain socket @ /var/run/docker.sock

  • start new containers with a specification
  • terminate containers
  • check in on a container

Containers and Android