• Stars
    star
    721
  • Rank 62,814 (Top 2 %)
  • Language
    Python
  • License
    MIT License
  • Created over 5 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A series of blog posts and talks about the world of containers ๐Ÿ“ฆ

Demystifying Containers

logo

This series of blog posts and corresponding talks aims to provide you with a pragmatic view on containers from a historic perspective. Together we will discover modern cloud architectures layer by layer, which means we will start at the Linux Kernel level and end up at writing our own secure cloud native applications.

Simple examples paired with the historic background will guide you from the beginning with a minimal Linux environment up to crafting secure containers, which fit perfectly into todaysโ€™ and futuresโ€™ orchestration world. In the end it should be much easier to understand how features within the Linux kernel, container tools, runtimes, software defined networks and orchestration software like Kubernetes are designed and how they work under the hood.

Table of Contents

Part I: Kernel Space

This first blog post (and talk) is scoped to Linux kernel related topics, which will provide you with the necessary foundation to build up a deep understanding about containers. We will gain an insight about the history of UNIX, Linux and talk about solutions like chroot, namespaces and cgroups combined with hacking our own examples. Besides this we will peel some containers to get a feeling about future topics we will talk about.

You can find the blog post:

The corresponding talk:

The slides of the talk:

Part II: Container Runtimes

This second blog post (and talk) is primary scoped to container runtimes, where we will start with their historic origins before digging deeper into two dedicated projects: runc and CRI-O. We will initially build up a great foundation about how container runtimes work under the hood by starting with the lower level runtime runc. Afterwards, we will utilize the more advanced runtime CRI-O to run Kubernetes native workloads, but without even running Kubernetes at all.

You can find the blog post:

The corresponding talk:

The slides of the talk:

Part III: Container Images

This third blog post (and talk) will be all about container images. As usual, we start with the historic background and the evolution of different container image formats. Afterwards, we will check out what is inside of the latest Open Container Initiative (OCI) image specification by crafting, modifying and pulling apart our self-built container image examples. Besides that, we will learn some important best practices in modern container image creation by utilizing tools like buildah, podman and skopeo.

You can find the blog post:

The corresponding talk:

The slides of the talk:

Part IV: Container Security

Security-related topics can be overwhelming, especially when weโ€™re talking about the fast-pacing container ecosystem. After encountering multiple security vulnerabilities in 2019, the press is now questioning if containers are secure enough for our applications and if switching from Virtual Machines (VMs) to container-based workloads is really a good idea. Technologies like micro VMs target to add an additional layer of security to sensitive applications.

But is security really a problem when speaking about running applications inside? It indeed is, if we do not fully understand the implications of the security-related possibilities we can apply or if we donโ€™t use them at all.

In this blog post, we will discover the bright world of container security in a pragmatic way. We will learn about relatively low level security mechanisms like Linux capabilities or seccomp, but also about fully featured security enhancements like SELinux and AppArmor. Weโ€™ll have the chance to build up a common ground of understanding around container security. Besides that, we will take a look into securing container workloads at a higher level inside Kubernetes clusters by using Pod Security Policies and by securing the container images itself. To achieve all of this, we will verify the results of our experiments by utilizing end-user applications like Kubernetes and Podman.

You can find the blog post:


Part X

Further parts of the series are not available yet.

Contributing

You want to contribute to this project? Wow, thanks! So please just fork it and send me a pull request.

More Repositories

1

webapp.rs

A web application completely written in Rust. ๐ŸŒ
Rust
2,160
star
2

kubernix

Single dependency Kubernetes clusters for local testing, experimenting and development
Rust
710
star
3

git-journal

The Git Commit Message and Changelog Generation Framework ๐Ÿ“–
Rust
564
star
4

indextree

Arena based tree ๐ŸŒฒ structure by using indices instead of reference counted pointers
Rust
533
star
5

demo

A framework for performing live pre-recorded command line demos in the wild ๐Ÿ“ผ
Go
272
star
6

nn

A tiny neural network ๐Ÿง 
Haskell
121
star
7

rain

Visualize vertical data inside your terminal ๐Ÿ’ฆ
Rust
88
star
8

ccli

Command line parsing in go, with coloring support ๐ŸŒˆ
Go
83
star
9

func

Functional additions to C
C++
55
star
10

dotfiles

My hand crafted .dotfiles ๐Ÿคš๐Ÿ› โค๏ธ
Shell
48
star
11

performabot

Continuous performance analysis reports for software projects ๐Ÿค–
Haskell
41
star
12

kmod

A Linux kernel module written in Rust
Rust
34
star
13

craft

Cargo inspired build system for C based projects
Rust
32
star
14

kubeflow-data-science-on-steroids

The blog post about Kubeflow, including all materials
Jupyter Notebook
30
star
15

go-modiff

Command line tool for diffing go module dependency changes between versions ๐Ÿ“”
Go
29
star
16

yew-router

Router extension to yew
Rust
27
star
17

peel-ip

Packet parsing for the Internet Protocol Suite ๐Ÿ“ฆ
Rust
26
star
18

microservice-rs

Microservice template using Rust and Cap'n Proto RPCs.
Rust
26
star
19

peel

Dynamic packet parsing within trees ๐ŸŒฒ๐ŸŒณ๐ŸŒด
Rust
22
star
20

fosdem20

Demo material used for the Podman talk at FOSDEM 2020
Go
22
star
21

stm32h7-rs

Rust on STM32H7 Microcontrollers
Rust
14
star
22

syscall-recorder

ebpf syscall recording demo project
C
9
star
23

unibar

A GPU accelerated status bar written in Rust ๐Ÿฆ„
Rust
8
star
24

seer

A collaborative resource planning tool ๐Ÿ”ฎ
Haskell
5
star
25

fastcmp

A fast byte slice comparison library
Rust
5
star
26

path

IP based connection identification and tracing ๐Ÿ‘Ÿ
Rust
5
star
27

webapp.hs

Haskell
4
star
28

umask-observe

umask observability based on bpftrace for OpenShift nodes
Shell
3
star
29

mowl

My own little logger โœ๏ธ
Rust
3
star
30

crio-demos

CRI-O Demonstration Material
Go
3
star
31

failure

Pure and type driven error handling for Haskell
Haskell
2
star
32

build-rust

The Docker based Rust build toolchain
Dockerfile
2
star
33

pidwatch-rs

C
2
star
34

rapidc

Rust
2
star
35

kubeflow-notebook-gpu

Kubeflow GPU Notebook Container Image
Dockerfile
2
star
36

pinns.rs

A simple utility to pin Linux namespaces
Rust
2
star
37

backingFsBlockDev

Go
1
star
38

peeler

Peel your network traffic
Rust
1
star
39

tunneldevice

Playing around with tunnel devices in Rust
Rust
1
star
40

build-haskell

The Docker based Haskell build toolchain
Dockerfile
1
star
41

go-docgen

A markdown and man page documentation generator for go applications
Go
1
star
42

netfilter_kmod

Playing around with the netfilter within the kernel
C
1
star
43

ci

Haskell
1
star
44

netlink_kmod

Playing around with routing netlinks inside the kernel
C
1
star
45

seccomp-oci-artifact-demo

Go
1
star
46

byopki

Bring Your Own Public Key Infrastructure for container signing and verification demo
Shell
1
star