[Cedricgc]

I enjoyed this blog post. Julia does a great job of distilling an idea down with examples.

I am fairly comfortable with Linux as a user for things like understanding processes, ports, key files and utilities, etc. The way I understand how to model abstractions like containers is to know the various OS primitives like cgroups, changing root, network isolation. Once one sees how those pieces come together to create the container abstraction, they can be mapped to the system calls provided by the OS. Usually they also have utilities bundled (like `chroot`) to interface with those primitives as an operator.

[whytaka]

I have been confused about containers for so long but having read your comment and looking up the terms you mentioned allowed me to finally find the right articles that explained containers to me. Thanks!

[opendomain]

Can YOU post links to the articles so we can learn?

Thanks!

[phi12ip]

Cgroups and Namespaces also by Julia Evans: https://jvns.ca/blog/2016/10/10/what-even-is-a-container/

Solaris Zones by Price and Tucker: https://www.usenix.org/legacy/event/lisa04/tech/full_papers/...

Jails: Confining the omnipotent root by Kamp and Watson: http://www.watson.org/~robert/freebsd/sane2000-jail.pdf

chroot(2) http://man7.org/linux/man-pages/man2/chroot.2.html

[the8472]

On linux containers usually involve some more primitives than cgroups and namespaces. Bind mounts, overlayfs (TFA), veth network interfaces (to connect the network namespaces), network bridges, memfd, seccomp, procfs etc. are all bits and pieces that are used by most containers/sandboxes.

Many of those pieces can be useful on their own. For example you don't need a full container if all you want to do is to ensure that some applications use a VPN and others use your public network address. A network namespace is all you need and those are accessible through simple cli tools such as `unshare` and `ip netns` and don't require behemoths like dockerd.

The tricky part is using them all together correctly, initializing them in the right order, not getting the control daemons confused by running in the wrong context and so on. That's where many of the security vulnerabilities come from.