►
From YouTube: Linux Container Internals by Great Umegbewe
Description
The microservices-driven architecture would not be thriving today if it were not for matching runtime environments - the container runtimes. Containers however, would not be possible without the availability of features that enable the virtualization of resources such as processes, filesystems and devices. In this talk, we would explore the following: * How Containers work. * The features in the Linux Kernel that make them possible precisely cgroups, namespaces, and UnionFS. * Container Runtimes * Container Storage and Networking.
---
KCD Africa 2022 is the 2nd iteration of the Kubernetes Community Days Africa, a CNCF-powered free community event. Visit https://kcdafrica.com for more information.
A
B
B
Okay,
okay,
so
I
was
thinking
about
the
container
internal,
so
what's
really
makes
them
possible
and
how
they
really
work
so
yeah,
okay,
so
meet
me.
My
name
is
great
xerox,
great
on
twitter
and
I'm
an
sre
address,
aryan,
devops
rtci,
so
tci
is
a
company
based
in
the
uk
and
we
basically
help
organizations
move
to
cloud
native
and
also
build
products
for
them.
So
I
mean
knox
fanboy
pretty
much.
As
far
as
I
remember,
I've
been
using
linux
since
about
age
of
nine
yeah.
B
B
I
also
like
the
technique
nightworks,
I'm
generally
funny
and
I'm
red
sometimes
so
that's
that
yeah
so
just
lighting
the
mood.
This
is
how
I
walk
around
and
so
as
soon
as
you
say,
hi
to
me,
I
smile
so
in
case.
See
me
anywhere
and
I'm
burning
my
face:
don't
hesitate
to
say
hi,
I'm
always
smiling
yeah,
so
yeah,
just
a
disclaimer
just
so
that
we
can
set
things
straight.
Containers
don't
run
on
docker.
B
That
is
like
a
misconception
or
a
misrepresenting
air
misrepresentation,
because
containers
are
wrong
on
docker.
Docker
is
just
one
of
those
several
container
engines
that
interact
with
container
runtimes
container
on
times
like
container
wrong
and
the
rest
of
them,
which
in
turn
asks
the
canal
to
set
up
containers,
so
other
container
engines
you
can
find
is
like
cryo
and
portland.
There
are
some
examples
of
container
engines
you
can
find
around.
B
B
So
what
are
containers?
I'm
sure
you
have
had
what
containers
are
containers
like
apples,
okay,
so
containers
is
like
a
form
of
operating
system
virtualization.
So
this
is
not
like
a
full
virtualization,
because
containers
depend
on
system
canal
like
you're,
not
scanning
to
like
to
set
up
and
yeah.
So
containers
is
like
a
form
of
virtualization
and
isolation,
because
containers
are
isolated
from
their
host
system.
B
They
have
their
own
pids,
that
is,
process
ids
and
they
have
their
own
network
and
all
that
so
containers
help
you
to
package
application
code
together
with
these
dependencies
so
that
you
can
run
them
in
in
between
environments.
So
containers
come
with
portability
where
you
can
run
them
on
different
environments,
no
need
to
start
installing
dependencies,
so
let's
say,
for
example,
you're
on
the
windows,
your
new
mac
os,
and
I
built
a
python
application,
and
I
give
you
the
code.
B
Okay,
I
want
you
to
run
this
application
so,
instead
of
use
starting
to
like
run
python
installing
python,
installing,
like
the
libraries
like,
let
me
say,
for
example,
panda
andres
is
obviously
done.
It's
already
packaged
into
a
container,
so
you
can
just
run
the
container
and
everything
will
run
perfectly.
So
one
thing
to
take
note
here
is
that
containers
have
run
as
processes
on
the
operating
system.
B
So
this
is
the
what
we
should
take
note
of
here,
because
I
won't
be
talking
much
on
containers
I'll,
be
talking
about
containers
like
from
from
a
higher
level
from
an
operating
system
level.
How
containers
are
run
on
the
system
than
containers
at
the
I'll
be
talking
from
a
lower
level?
Yeah.
So
does
that
I'll
be
talking
about
containers
as
processes
so
yeah?
So
we
have
the
control
groups.
B
A
container
is
a
process
of
course
limits.
Memory,
container
limits
cpu
to
a
container
and
all
that.
So
the
reason
for
even
c
groups
are
the
first
that
was
secretly
abused
as
a
security
feature,
so
it
was
actually
built
as
a
honeypot,
so
that
for
attackers.
So
we
have
some
signal
subsystems.
We
have
the
memory
pid
cpu
set,
freeze,
block
iu,
so
other
subsystems
are
what
you
can
control
on.
What
you
can
the
amount
you
what
you
can
control
to
assign
to
a
process?
B
B
So
the
objects
community
objects
like
replica
sets,
secrets
and
the
rest
of
them
can
be
grouped
into
a
name
space
while
in
another
namespace
like
said
approach
is
as
is
on
and
what
is
it
called
objects2?
So
these
objects
can't
really
assess.
Let
me
see
a
pod
in
the
improv
cannot
really
access
his
secrets
in
dev,
because
this,
like
is
a
form
of
isolation
between
them,
so
lim
just
take
note
c
groups.
B
B
B
The
nginx
might
be
running
with
apid
of
four
or
five
or
whatever
on
the
container,
but
outside
that
container
that
it
will
be
running
on
the
whole
system.
It
will
be
running
as
a
different
pid.
So
this
is
what
make
full
containers
into
thinking
that
they
have
their
their
own
guys
that
they
have
their
their
in
control
of
what
they
can
do.
B
I
will
like
give
an
example
of
how
we
can
use
network
namespace
namespaces,
so
also
we
can
also
look
at
the
username
species,
provides
previous
isolation
and
the
user
identification
segregation
so
like
the
ui
and
the
guid
so
like
it
gives
you
this
kind
of
security
feature.
I
think
it
was
recently
that
it
came
into
the
linux
scanner.
Okay,
yeah
recently
he
came
into
the
scanner.
I
changed
at
3.8
yeah,
so
we
also
have
the
ipc
ipc.
I
don't!
B
B
So
yeah
clone
is
one
of
the
system
calls
clone
is
actually
a
system
called
in
the
linux
kernel
that
enable
us
to
use
namespaces.
So
if
you,
you
can
actually
like
look
at
the
code
in
the
linux
and
like
try
to
have
an
understanding
of
what
clone
does
so
yeah.
This
is
how
process
is
called
clone.
If
you
can
look
for
the
ins
clone
function
there,
so
it
caused
it
by
the
stack
passes
on
flux
to
it
on
the
parent
tid.
B
B
So,
if
you
have
also
noticed,
let's
say
you
pull
a
docker
container
and
maybe
you
put
another
docker
container,
sometimes
it's
going
to
tell
you
that
this
layer
already
exists
right
so
copy
or
write,
makes
this
stuff
smart
enough
so
copy
and
write
like
those
sharing
sharing
of
this
files
and
other.
So
we
have
different
file
systems
which
copy
our
rights
uses.
B
So
we
have
capabilities
that
enable
you
to
say:
okay.
I
want
this
capability
side
time
on
this
container
yeah
and
we
also
have
excellent
so
security,
enhanced
linux,
so
security
enhancement,
knobs,
most
side
means
use
a
security
enhancement
node
so
that
you
can
set
some
kind
of
have
more
control
over
who
can
access
this
container.
So
that's
the
path
you
have
to
look
out
for
and
then
we
have
the
container
runtimes
like.
B
I
said
we're
going
to
come
into
this,
so
we
have
the
docker
engine
container,
open,
vs,
duplicated
there,
sorry
about
that.
Yeah
docker
engine
actually
uses
container
and
wrong
to
for
the
container
creation,
because
what
actually
made
docker
stand
out
was
that
they
had
they
improved
the
they
improved.
The
developer
experience
using
containers
before
containers
were
just
something
that
most
likely
you
see
with
assay
admins.
I
know
that
really
made
this
easy
with
their
whole
family
of
two.
B
So
that's
why
it's
called
an
engine
we
also
have
lxc.
Alexa
has
been
existing,
in
fact,
yeah.
There's,
no
there's!
No
there's
no
record
of
lxe
needed
no
scandal.
You
haven't
even
seen
anything
about
those
containers,
because
the
containers
you
might
see
is
like
a
very
different
thing
from
the
containers.
You
know
like
it's
a
big
differences,
so
alexi
was
one
of
the
container
technologies
that
we
are
there
and
we
also
have
open
vs
to
which
was
also
one
of
the
container
technologies
that
assisted
so
yeah.
B
B
Just
trying
to
kind
of
adjusted
so
so
yeah
we'll
try
to
look
at
the
name
species
that
exist
on
my
pc.
So
let's
do
ls
ns
like
come
up
with
this
with
the
namespaces
that
exist
in
my
system,
so
we
have
the
times
namespace.
We
have
the
c
group
namespace.
We
have
the
pid
namespace,
uts
ipc
and
the
rest
of
them.
So
yeah
for
browsers,
like
chrome
and
brief
they'll,
most
likely
have
a
lot
of
pid,
namespaces
and
yeah.
B
They
also
have
the
network
namespace
like
for
network
and
the
rest
of
them.
So
let's
try
to
list
those
to
these
audios
yeah.
So
I
don't
have
to
type
sudo
every
time
so
I'll
say:
sudo
ls,
slash
proc,
so
we're
going
to
check
a
process.
So
if
I
do
this,
yes
ox
so
we're
going
to
actually
check
which
namespace
my
first
process
belongs
to
so
the
in
its
init
commands
like
the
init
process.
So
let's
see
which
namespace
it
belongs.
B
B
B
B
B
B
B
B
B
Too
so
now,
let's
verify
the
connectivity
between
the
two
namespace
as
it's
enabled
by
the
feature:
internet
spectrum
so
from
the
namespace
one
system,
I've
linked
them.
So
if
his
name
space
one,
we
should
be
able
to
paint
the
name,
the
second
one
and
from
the
second
name
we
should
be
able
to
ping
the
first
name
space.
So
this
is
sudo
sudo,
okay
s,
I
p
net
ns
exec
name
space,
one
pink,
so
that
goes
about
five
pings
one.
Nine
two
point:
one
six,
eight
point:
two!
B
List
yeah,
I
no
longer
have
to
say
so.
This
is
something
that
most
of
this
container
around
clients
do
under
the
hood.
They
try
to
create
network
name,
species
and
the
rest
of
them
so
that
you
can
get
this
entire
operability
between
your
containers,
providing
network
access
to
your
containers
so
yeah
and
also
go
over
the
second
demo.
B
B
B
B
You
can
see
that
these
three
fives
has
been
unions
together
into
a
namespace,
so
under
the
hood,
this
is
what
container
runtimes
kind
of
try
to
implement.
I
actually
say
you
can
also
look
into
okay.
Sorry,
I
can
also
say
you
should
look
into
boca.
I
don't
know
if
I
can
type
that.
Okay,
please
look
into
rocca.
B
This
low-level
features
these
low-level
features
of
the
linux
and
I
would
like
to
create
a
container.
So
it
does
that
for
my
talk
and
if
you
have
any
question
you
can
just
leave
them
in
the
chat
yeah,
I
think
yeah
he
has
sadiq
has
done
that.
So,
if
you
have
any
questions
on
like
these,
you
can
try
to
like
reach
out
to
me
or
you
can
just
write
them
on
the
chat
and
yeah.
C
So
here
is
a
great
twitter
handle
at
zero
x.
Great.
The
guy
is
great
that
his
twitter
handle
is
in
lead
code
self,
so
you
can
reach
out
to
him
on
twitter
and
share
whatever
questions
you
have
and
you
grateful
to
answer,
but
if
you
still
have
any,
you
can
drop
them
in
chat
and
he
will
be
available
on
the
youtube
channel
to
answer
any
of
them
in
real
time.
B
Okay,
so
c
groups
namespaces
are
used.
Okay,
like
I
said
I
don't
know
if
it
came
in
late,
but
c
groups
is
what
limits
the
resources
that
containers
can
use
right.
So
it
limits
how
many
it
limits
like.
There
are
subsystems
for
c
groups.
You
have
the
pid,
the
nets,
the
rest
of
them.
So
what
c
group
does
is
like
try
to
limit
system
resources
that
these
containers
can
use
right.
So,
like
I
said,
c
groups
limits
what
you
can
use
and
namespaces
limits.
B
What
you
can
see
so
namespaces
is
what
makes
containers
not
to
be
able
to
see
each
each
other,
because
if
they
are,
let's
say
this
container
is
able
to
see
the
process
of
another
container.
That's
really
bad
because
you
can
have
things
like
racing
conditions
and
it's
also
a
security
issue,
so
name
spaces
is
what
brings
in
that
isolation.
B
Right
like
how
you
can
run
multiple
containers
on
your
system,
you
can
run
nginx,
you
can
run
busy
box.
You
can
run
a
lot
of
containers
without
having
conflicts,
but
if
namespaces
doesn't
exist,
things
like
process
ids
will
start
clashing,
and
even
though
that
is
a
bit
of
a
security
issues
that
is
really
bad,
so
namespace
is,
is
a
feature
of
the
not
scanning
that
like
try
to
convince
containers.
B
C
Yeah
it
yeah
it
shared
it.
What
we
will
do
later
is
the
recording
of
the
whole
thing
will
be
available
subsequently
and
will
also
break
each
of
the
sessions
so
that
you
can
have
access
to
individuals.
So
your
guest,
you
can
check
our
youtube
channel
by
monday
or
tuesday
next
week
and
you
will
have
his
specific
video,
so
you
can
rewatch
the
parts
where
he
did.
The
demo.