Containers Demystified

techupskills.com | techskillstransformations.com
@techupskills © 2023 Brent C. Laster &
Requirements
• Modern laptop
• Docker installed and running (If Mac or Windows, Docker
Desktop recommended) - docker.com
• Docker account (free one is fine) - hub.docker.com
• Labs document in github.com/skilldocs/ctr-de
§ https://github.com/skilldocs/ctr-de/blob/main/ctr-de-labs.pdf
§ Cloned copy of github.com/skillrepos/ctr-de

3
Brent Laster
Tech Skills Transformations
Containers Demystified
A hands-on approach to understanding container
mechanics, standards, and tooling. Includes Docker,
Podman and Buildah

About me
• Founder, Tech Skills Transformations LLC
• R&D DevOps Director
• Global trainer – training (Git, Jenkins,
Gradle, CI/CD, pipelines, Kubernetes, Helm,
ArgoCD, operators)
• Author -
• OpenSource.com
• Professional Git book
• Jenkins 2 – Up and Running book
• Continuous Integration vs. Continuous
Delivery vs. Continuous Deployment
mini-book on O'Reilly Learning
• https://www.linkedin.com/in/brentlaster
• @BrentCLaster
• GitHub: brentlaster
© 2021 Brent C. Laster &

Professional
Git
Book
• Extensive Git reference,
explanations,
• and examples
• First part for non-technical
• Beginner and advanced
reference
• Hands-on labs

Jenkins 2
Book
• Jenkins 2 – Up and Running
• “It’s an ideal book for those
who are new to CI/CD, as well
as those who have been using
Jenkins for many years. This
book will help you discover
and rediscover Jenkins.” By
Kohsuke Kawaguchi, Creator
of Jenkins

Learning GitHub Actions - Early Release
• Early release - Chapters 1-6 on learning.oreilly.com

O’Reilly Training

Other References

Agenda
• What containers are and the benefits they provide
• How containers are constructed
• The differences between layers, images, and
containers
• How containers reuse code
• How we can run multiple containers together
• Debugging containers
• Filesystems and storage drivers with containers
• Podman, an alternative for Docker
• Buildah, an alternative for building images
• Container runtimes and standards

11
|
Container core conceptsthe API

12
What’s in a container?
Settings
App
Runtime
Dependencies
System Tools
System Libraries
• A container is a standard
unit ( package ) for
delivering software with a
virtual environment to run it
in.
• Functions like a fully
provisioned machine
installed with all the
software needed to run an
application.
• It’s a way of packaging
software so that
applications and their
dependencies have a
dedicated, self-contained
environment to run in, are
insulated from the host OS
and other applications - and
are easily ported to other
environments.
What are Containers?

Containers and the OS
• A container is NOT a Virtual Machine (VM). A container leverages several features of the
Linux OS to “carve out” a self-contained space to run in.
• A VM requires a program or layer to run a virtual image (Hypervisor) and a Guest OS to
create isolation
• Container "engines" like Docker use Linux container technologies to run processes in
separate spaces on the same OS and share system resources
System
CPU Memory I/O Network

Containers are created from images
• A container is a running instance of an image
• Image defines what goes into container
• A container image is a read-only "immutable"
template used to create a container (snapshot of
software, configuration, etc.).
• Images are stored in a “registry” – like repository for
images
Registry
Image A
Image B
Host System
OS
D
o
c
k
e
r
Container 1
Image A
Image A
docker
pull
docker run

15
|
Benefits of containersDefining the API

Easy to startup
• Get image
• Run image as a container
Registry
Image A
Image B
Image C
Image D
Host System
OS
D
o
c
k
e
r
Container 1
Image A
Image A
pull
run

Quick, easy rollbacks
• Get image
• Run image as a container
Registry
ImageA:1.1.0
ImageA:1.0.1
ImageA:1.0.0
Host System
OS
D
o
c
k
e
r
Container 1
ImageA:1.1.0
ImageA:1.1.0
pull
run
ImageA:1.0.1
ImageA:1.0.1
ImageA:1.0.1

Portability
• Run nearly anywhere without rebuilding
• Works same way since container is the environment
VM
OS
D
o
c
k
e
r
Container 1
Image A
bare metal
OS
D
o
c
k
e
r
Container 1
Image A
cloud
OS
D
o
c
k
e
r
Container 1
Image A

Supports Distributed/Decoupled Architecture
• Loosely coupled services
• Removes need for monolithic stacks
VM
OS
WebApp
Webapp Image
Docker
Database
DB Image
Authentication
Auth Image
API Gateway
API Gateway
Image
Migration/backup
Utilities
Worker 1
Worker Image
Worker 2
Worker Image

Agility
• Define containers well-suited for a specific task
• Spin up/down containers quickly/easily to address needs
• such as devops workflow
cloud
OS
Docker
Build Container
Source
Repo
Test Container Packaging Container
Deliverables
Test Container
Registry
Gradle 6.0
Image
pull
Build Container Packaging Container
JUnit
Framework
Image
Packaging
Tools
Image
Gradle 5.0
Image
Gradle 6.0
Image
Gradle 5.0
Image
JUnit
Framework
Image
Packaging
Tools
Image

21
|
How do layers, images, and containers all work together?API

Creating and tracking layers to images
3f00bed1e02a | COPY dir:6a0…
ba16edb35eb9 | mysql:5.5.45
24f4da862742 | ENTRYPOINT
["/ent……
19e729dca1ee | CMD ["mysqld"]
* ”<missing>” in history means layers are built
on a different system and not available locally

working area
mysql:5.5.45
Layers and disk storage
Image Registry
Image Image
Image
Image
Image
Image
/var/lib/docker/overlay2
Image
mysql
---------
--------
=-------
-
---------
--------
=-------
-

Layers to images
Image Registry
Image Image
Image
Image
Image
Image
/var/lib/docker
mysql
image 1
mysql
storage
driver

Layer reuse #1
Image Registry
Image Image
Image
Image
Image
Image
/var/lib/docker
image 1
mariadb:10.3.38
Image
Ø docker pull mariadb:10.3.38 Image
storage
driver

Layer reuse #2
Image Registry
Image Image
Image
Image
Image
Image
/var/lib/docker
image 1
mariadb:10.7.8
Ø docker pull mariadb:10.3.38
Ø docker pull mariadb:10.7.8
Image
✔
✔
image 2
% docker pull mariadb:10.3.38
10.3.38: Pulling from
library/mariadb
5544ebdc0c7b: Pull complete
80aac40e3088: Pull complete
3eb6f67eee98: Pull complete
26d191ae4e3f: Pull complete
ca1574ef01bf: Pull complete
75f51f5c8a08: Pull complete
a94d9a441a5f: Pull complete
daa345a92bdd: Pull complete
477a9be3f1c4: Pull complete
% docker pull mariadb:10.7.8
10.7.8: Pulling from
library/mariadb
5544ebdc0c7b: Already exists
80aac40e3088: Already exists
3eb6f67eee98: Already exists
26d191ae4e3f: Already exists
757a9844584b: Pull complete
da12c872d1d7: Pull complete
e013d611f75a: Pull complete
a5c3429c1f27: Pull complete
storage
driver

Images to containers
Image Registry
Image Image
Image
Image
Image
Image
/var/lib/docker
image 1
storage
driver
container 1
Ø docker run image1 ...
Image
container 2
container 3
container 4
container 5
image 2
immutable
immutable

How do layers & images intersect with the operating
system?
• Layers can be viewed as single union of all filesystems -
Linux’s Union File System allows you to stack different
file systems and look through
• R/O files can be modified via Copy on Write (cow) –
pulling them up to R/W layer when needed
• Other Linux facilities like cgroups and namespaces help
us keep our containers separate
ccae61fe0274
read-only
}read
write
UNION FILE
SYSTEM
SERVICE
UNION
FILE
SYSTEM
• Layers are basically like files to the O/S
• Image layers are R/O (aka – “immutable”)
• We create a container from an image via the run command. Adds
another layer – a R/W one – changes can be made here (“mutable”)

29
|
Dockerthe API

What is Docker?
• Docker is not containers- it is a container engine
• engine = application to allow code created in one
computing environment to work in others
• A popular application for developers to use to work with
and do the following with containers
• work with them in a standardized way
• lifecycle management (create, delete, etc.)
• packaging and distribution via images
• Virtualizes the operating system of the computer that it's
installed and running on
• Leverages lower-level pieces that ultimately leverage3
functionalities from Linux to provide isolated
environment in the OS
• union filesystem - data
• namespaces - visibility (pid)
• cgroups - control groups (resources)
Docker CLI
containerd
Open Container Initiative (OCI) spec
runC
container container container
dockerd
(daemon)
socket

What is a Dockerfile?
• Way to create a Docker
image ( a plan)
• A text file that contains
(in order) all of the
instructions to build an
image
• Has a specific format and
structure
• Each instruction in a
Dockerfile can create a
read-only layer

Dockerfile Syntax
Statement Meaning
FROM Defines starting image
MAINTAINER Documents author/contact
RUN Runs a command in shell, wait for it to finish, save result
ADD Add new files, directories, or remote file URLs to image's
filesystem
ENV Sets environment variables during build and also in running
container
ENTRYPOINT Specifies starting application to run when container starts
CMD Specifies command to run or default argument passed into
ENTRYPOINT
EXPOSE Maps a port into a container
VOLUME Defines shared volumes or ephemeral volumes
WORKDIR Sets the directory that the container starts in
USER Sets the user that container will run as

Dockerfile to Image to Container
Build Run

Docker Commands - Part 1
Command Purpose
build create an image from a dockerfile
images list images
run create container and start it
history show the history of an image
tag add a "human-friendly" identifier that
points to an image

About Docker Tags
• Docker tags are user-friendly aliases for the “hex” ids of generated images
• Way of referring to an image
• Like how Git tags refer to particular commits
• Two general ways to create a tag
• Via docker build
• docker build –t IMAGE_NAME[:TAG] .
docker build -t roar-db:v1 .
• Via tag command
• docker tag IMAGE_ID IMAGE_NAME[:TAG]
docker tag 19e729dca1ee roardb:v1.1
• docker tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]
docker tag roar-db:v1.1 roar-db:prod
• Tagging for private registries
• Private repositories run on a REGISTRYHOST
• Example: localhost:5000
• Need to tag image with REGISTRYHOST info
• docker tag [OPTIONS] IMAGE[:TAG] [REGISTRYHOST/][USERNAME/]NAME[:TAG]
docker tag roar-db:v1.1 localhost:5000/roar-db:v1.1
• Using “:latest” tag
• “latest” does NOT mean most recent – it means “default”
• “latest” = default tag if tag not explicitly specified
• Avoid it and use meaningful tags instead

How do we think about this?
• Consider analogy of installing software on a
machine…
• And then provisioning systems for users
User R/W
User R/W

37
|
Lab 1 – Creating Images
Purpose: In this lab, we’ll see how to do basic container operations like building images.

Our Example App
• Simple app with two pieces
• Webapp on the front
• Mysql database on the
backend
• Written in Java
• Simple REST API
• War file is produced for
webapp
• Managed in Tomcat
• R.O.A.R. (Registry of Animal Responders)

Docker on Windows and Mac
• On a development system, user runs Docker host
• host = where docker images are deployed
• On Linux or Mac, host is Linux-based
• only allows creating images for Linux containers
• Mac uses Hyperkit and virtual image
• Docker Desktop
• available for Windows and Mac
• hosts containers in dev env
• provides additional tools
• Windows containers - 2 types of runtimes
• Windows Server Containers - use process and namespace isolation
• shared kernel - less isolation
• Hyper-V Containers- runs each container in optimized VM
• optional - each container gets its own Windows kernel - more isolation

Docker Desktop - Containers

How do we work with multiple containers?
• Docker compose function allows us to start containers
together
• Uses service specifications in docker-compose.yml file
• Simplifies running multiple containers that need to be “linked”
together
• Composing containers together is essentially a 3-step process
• Create needed Dockerfiles for each part of app
• Define services and related data that make up the app in
a docker-compose.yml file
• Run docker compose up and it starts and runs your app
• Docker run
• Could also use docker run command in extended form
with –link option
• Docker stack
• Command in Docker CLI - lets you mange cluster of
containers via Swarm (competitor to Kubernetes)
• Can also leverage docker-compose.yml file
• Kubernetes or Kubernetes Environments

Overall Docker Flows
• Docker images are stored in a registry
• A Dockerfile describes how to create a new image
• docker build creates the new image
• docker run starts up a container with an image
• A docker compose file describes how to create containers and link multiple ones together
• docker-compose executes a compose file and runs the unit
Registry
Image 1
Image 2
Image 3
Image 4
Host System
OS
D
o
c
k
e
r
Container 1
Container 2
Dockerfile
FROM …..
COPY….
RUN…
Image A
Image A
Image B
Compose.yml
IMAGE A…..
IMAGE B….
LINK…
-{

Docker Commands - Part 2
Command Purpose
compose run multiple containers together
top display top running processes in a
container
stats return live data from running containers
pause suspend all processes in a container
unpause resume all processes in a container

44
|
Lab 2 – Making images work together
Purpose: In this lab, we’ll see how to make multiple containers execute together with docker
compose and use the docker inspect command to get information to see our running app .

Debugging Docker containers
• Identify container that is problem
• Gather information about state - docker inspect
• Gather information about what’s happened - docker
logs
• Verify assumptions, such as what ports are exposed –
docker port
• See what’s gone into image - docker history
• Actually connect into container’s filesystem -- docker
exec
• How to tell what’s going on – one approach

Docker Inspect
• https://docs.docker.com/engine/reference/commandline

Docker Logs

Docker Port

Docker History

Docker Exec

What is a registry?
• Place to store images
• Push or pull from
• Can be public or private
• Can be secure or insecure
• access via docker login
• Public Docker registry is
default (hub.docker.com)
• Private registries
- Hosted at some path:port
- Require images to be
tagged with host info
(path:port) in their name
to let Docker understand
which registry to work
with
- Example: if registry is at
localhost:5000 then image
should be
localhost:5000/myimage
and not just myimage

quay.io

Docker Stop

Docker rm

Docker rmi

56
|
Lab 3 – Debugging Docker Containers
Purpose: Understanding commands and steps that we can use to learn more about what's going
on in our containers if there are problems.

57
|
Diving Deeper into Layers- Defining the API

Containers can reuse layers
• Docker commands can reuse layers if they already exist in
the docker file structure
$ docker pull alpine
Using default tag: latest
latest: Pulling from library/alpine
89d9c30c1d48: Pull complete
Digest: sha256:c19173c5ada610a5989151111163d28a67368362762534d8a8121ce95cf2bd5a
Status: Downloaded newer image for alpine:latest
$ docker pull alpine/helm
Using default tag: latest
latest: Pulling from alpine/helm
89d9c30c1d48: Already exists
c14a8f06d505: Pull complete
7de226a1041c: Pull complete
Digest: sha256:ae3be4cdbaf5c6ca5f88c4a28c888fe99dcb1416de41483a2554e9bccec08503
Status: Downloaded newer image for alpine/helm:latest

Mapping layers to the file system (before 1.10)
(credit: winsock.io/explaining docker-image-ids/)
• Layer – alternative definition
• A layer is a delta or “diff” that results when commands are run during the
image build process that produce new or changed files/directories
• The new or changed files and directories are stored or ‘committed’ as a
new layer
• Prior to Docker 1.10, images and layers were synonymous
ID: fdf9d70e7ba7
Parent: dc89c90bfea
Name: alpine/helm:latest
ID: dc89c90bfea
Parent: ead53b4e9ff
Name: “ ”
ID: ead53b4e9ff
Parent: “ “
Name: “ ”
/var/lib/docker/aufs/diff
fdf9d70e7ba7 …
dc89c90bfea …
ead53b4e9ff …
Image
Layers
$ docker inspect alpine/helm:latest
[
{
“Id”: “fdf9d70e7ba72e3a74b
“Parent”: “dc89c90bfea235
…
…
}
]
Inspect

Mapping layers to the file system (1.10+)
• Layers equal to image had challenges
• Security – how to tell if image tampered with during
push/pull, etc.
• New approach – “Content Addressable IDs”
• Layers have no affiliation or notion of any image
• Just collections of directories and files
• Layers identified by digest of the form “algorithm:hex-
value”
• Algorithm is method for computing hex value from
layer’s contents (hashing method)
• Hex-value is string computed from applying algorithm
to layer’s contents (hash)
• Example:
sha256:77cae8ab23bf486355d1b31912597053…
• Docker image has
• Configuration object – includes ordered list of layer
digests (used to assemble filesystem in container
instead of series of parent images)
• Image ID is digest – computed hash of configuration
object
(ref: https://cloud.google.com/architecture/using-
container-images)
$ docker inspect alpine/helm:latest
[
{
"Id": "sha256:fdf9d70e7ba76a6af25843 …
"Layers": [
"sha256:77cae8ab23bf486355d1b3
"sha256:fad447c6845e910b04e9391
"sha256:fcaa7782b133863c3ed0f68
]
…
}
]
Inspect

Storage Drivers (aka Graphdrivers)
• A local instance of a Docker engine has cache of image layers
(pieces put together to form an image)
• Layers come from docker pull, docker build, etc.
• Driver is required to manage the layers at runtime
• Specifically, to mount the layers into a consolidated root
filesystem – creates the mount namespace of the container
• Creates a kind of “image graph” that is the relationship
between the various layers

Storage Driver Examples
Storage Driver Underlying Technology Notes
aufs AUFS (another/advanced union filesystem) – union
filesystem
Oldest and most mature
fast to startup and efficient with resources; available in
certain Debian distros
Rejected for merging into mainline Linux
Previous default before overlay
btrfs Btrfs (b-tree filesystem) - snapshots Performance impacts and higher memory usage
Easier management tooling/more dense storage
Questionable support often characterized as buggy
devicemapper Device Mapper Operates on block device where Docker is
Creates sparse files
Needs to be combined with other tooling for production
use
Former default for Centos / RHEL – before overlay2
overlay OverlayFS (overlay filesystem) – union filesystem Faster and simpler than aufs
Can only run on top of ext4/xfs filesystems
Can cause heavy inode* usage due to file copies
overlay2 OverlayFS (overlay filesystem) - union filesystem Same as overlay generally
Improvements to reduce inode usage
vfs VFS – (not a filesystem) Simple approach - makes copies of layers; no union fs
and no CoW
Lower performance and more space on disk
Robust, stable –useful for docker dev/testing
zfs ZFS (filesystem) - snapshots Generally same as btrfs
* inode – contains metadata for each file on filesystem; max count is hardcoded

Overlay File Systems
• Useful when you need to provide
• multiple views of the same data
• with potentially some variations
on them
• avoid saving redundant data
• store the common data only once
• store the differences for each
view.
• Use concept of "upper" and "lower" directories
• base layer is called 'lowerdir' (where original files exist)
• any changes are written into the 'upperdir'
• new version of existing file
• "whiteout file" if file deleted
• new files created
• 'merged' is view of all merged layers
• 'workdir' used as internal temporary storage
“lowerdir”
“upperdir”
“merged”
file a file b
file a file b
file c
file d
file c file d
file b
OverlayFS Concepts

Overlay File Systems
• Useful when you need to provide
• multiple views of the same data
• with potentially some variations
on them
• avoid saving redundant data
• store the common data only once
• store the differences for each
view.
• Use concept of "upper" and "lower" directories
• base layer is called 'lowerdir' (where original files exist)
• any changes are written into the 'upperdir'
• new version of existing file
• "whiteout file" if file deleted
• new files created
• 'merged' is view of all merged layers
• 'workdir' used as internal temporary storage
“lowerdir”
“upperdir”
“merged”
file a file b
file a file b
file c
file d
file c file d
file b
OverlayFS Concepts
Standard file system functionality if overlayFS driver installed
$ sudo mount -t overlay -o
lowerdir=base,upperdir=diff,workdir=workdir overlay overlay
$ mount | grep overlay
overlay on /home/diyuser3/overlay type overlay
(rw,relatime,lowerdir=base,upperdir=diff,workdir=workdir)

Overlay File System and Docker
docker run -ti ubuntu:18.04 bash
Unable to find image 'ubuntu:18.04' locally
18.04: Pulling from library/ubuntu
09db6f815738: Pull complete
Digest: sha256:478caf1bec1afd54a58435ec681c8755883b7eb843a8630091890130b15a79af
Status: Downloaded newer image for ubuntu:18.04
root@a76ef339bed9:/# rm /etc/environment
root@a76ef339bed9:/# echo "new" > /root/newfile.txt
root@a76ef339bed9:/#
exit
diyuser3@training1:~/overlay$ docker ps -a | grep ubuntu
a76ef339bed9 ubuntu:18.04 "bash" 4 minutes ago Exited (0) 8 seconds ago dazzling_gauss
docker inspect a76e | jq '.[0].GraphDriver.Data'
{
"LowerDir": "/var/lib/docker/overlay2/b13fa84ab33b80e5bd03a1e4c1c97d39fe249f37675790e5fcc7de22f1db75b0-
init/diff:/var/lib/docker/overlay2/cac32cc826a3fc30c80b5663327898f8c02f39faae9dbf33b065f6c71200bedd/diff",
"MergedDir": "/var/lib/docker/overlay2/b13fa84ab33b80e5bd03a1e4c1c97d39fe249f37675790e5fcc7de22f1db75b0/merged",
"UpperDir": "/var/lib/docker/overlay2/b13fa84ab33b80e5bd03a1e4c1c97d39fe249f37675790e5fcc7de22f1db75b0/diff",
"WorkDir": "/var/lib/docker/overlay2/b13fa84ab33b80e5bd03a1e4c1c97d39fe249f37675790e5fcc7de22f1db75b0/work"
}
sudo tree "/var/lib/docker/overlay2/b13fa84ab33b80e5bd03a1e4c1c97d39fe249f37675790e5fcc7de22f1db75b0/diff"
/var/lib/docker/overlay2/b13fa84ab33b80e5bd03a1e4c1c97d39fe249f37675790e5fcc7de22f1db75b0/diff
├── etc
│ └── environment
└── root
└── newfile.txt
Chain of
layers that
make up
base
Ubuntu
image

Overlay2 Model
• Natively supports multiple OverlayFS layers (up to around
128)
Docker Concepts OverlayFS Concepts
Container
Layer
Image Layer 2
Image Layer 1 Lower Dir 1
Upper Dir
Merged View
file a file b
file a
file b
file c
file d
file c file d
file b
Docker Concepts
Image Base Layer Lower Dir 2
OverlayFS Concepts
file c .wh

Getting Info about Docker Storage
• docker info provides basic information about configuration
• Output shows storage driver and docker root directory
diyuser3@training1:~$ docker info
Containers: 111
Running: 98
Paused: 0
Stopped: 13
Images: 32
Server Version: 18.09.7
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
…
Operating System: Ubuntu 18.04.2 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 9.529GiB
Name: training1
ID:
SLSD:QYJ3:YRX4:36UG:FUY3:F7CP:5K55:G34L:SBNC:FBR2:7CDB:FVI4
Docker Root Dir: /var/lib/docker

Root Folder
• Contains data on containers, builds, networks,
volumes, etc.
$ sudo ls -la /var/lib/docker
total 136
drwx--x--x 15 root root 4096 Oct 12 22:45 .
drwxr-xr-x 72 root root 4096 Jul 5 21:13 ..
drwx------ 2 root root 4096 Jun 3 2019 builder
drwx------ 4 root root 4096 Jun 3 2019 buildkit
drwx------ 202 root root 28672 Oct 12 22:46 containers
drwx------ 3 root root 4096 Jun 28 2019 image
drwxr-x--- 3 root root 4096 Jun 3 2019 network
drwx------ 353 root root 49152 Oct 12 22:46 overlay2
drwx------ 4 root root 4096 Jun 3 2019 plugins
drwxr-xr-x 3 root root 4096 Jul 11 2019 registry
drwx------ 2 root root 4096 Oct 12 22:45 runtimes
drwx------ 2 root root 4096 Jun 3 2019 swarm
drwx------ 2 root root 4096 Oct 12 22:45 tmp
drwx------ 2 root root 4096 Jun 3 2019 trust
drwx------ 6 root root 4096 Oct 12 22:45 volumes

Docker security
• Running containers (and apps) with Docker implies
running the Docker daemon
• daemon
• is responsible for state of containers and images
• facilitates interactions with external processes
• requires root privileges
• always runs as root user
• creates unix socket accessible by members of
docker group
• can be run as local or remote
• CLI maps commands to API calls for daemon
• Running local daemon risks that any process that
breaks out of the container would have same rights
as host OS
• rootless mode available (as of ver 19.03)
• has limitations and extra setup
ref: https://docs.docker.com/engine/security/rootless/
From: https://docs.docker.com/get-started/overview/

71
|
Lab 4 – Mapping Docker images and containers within the
filesystem
Purpose: In this lab, we'll explore how layers, images and containers are actually mapped and
stored in the filesystem.

Open Container Initiative (OCI)

Podman (POD MANager)
• Red Hat product designed to build/manage/run containers
with a K8s-like approach
§ Default container tool in RHEL 8 and Centos 8
• Specializes in managing entire container lifecycle
• Supports OCI standard (and others)
• Many commands similar to Docker, but not all
• Can alias the Docker CLI
• No root access required - runs containers under user
starting container not daemon
• Allows users to create "pods" to group containers together
• Based on libpod - library that provides APIs for managing
containers, pods, container images, and volumes

Podman vs Docker
Podman Docker
daemon-less architecture uses a daemon (containerd)
can run root-less containers w/o
additional configuration
can run containers with root or non-
privileged users
runs with root privileges (less secure)
requires additional configurations to run
rootless
interacts with Linux kernel directly
through runc
daemon owns all child processes of
running containers
respects user namespaces (users can all
run without concern of conflict - have
their own containers and image stores)
doesn't respect user namespaces -
generalized
can deploy pods with multiple containers
pod manifest can be used in Kubernetes
can deploy a Kubernetes pod manifest as
a Podman pod
no concept of a pod

Podman commands
attach auto-update build commit
container cp create diff
events exec export generate
healthcheck history image images
import info init inspect
kill kube load login
logout logs machine manifest
mount network pause pod
port ps pull push
rename restart rm rmi
run save search secret
start stats stop system
tag top unmount unpause
unshare untag version volume
wait

Podman machine
• Podman on MacOS and Windows can be run via a virtual machine
§ due to containers used with Podman being based on Linux kernel
functionality
§ "machine" provides set of subcommands to manage Podman's virtual
machine
Command Description
info Display machine host info
init Initialize a new virtual machine
inspect Inspect one or more virtual machines
list List virtual machines
rm Remove a virtual machine
set Sets a virtual machine setting
ssh SSH into a virtual machine
start Start a virtual machine
stop Stop a virtual machine

Podman kube
• Podman includes functionality for working with
pods
• Functionality extends to interfacing with
Kubernetes
• generate kube - creates a YAML description of a
Podman pod
• play kube - allows running Podman pods based
on a Kubernetes YAML file
• like docker-compose

Podman Desktop
• Graphical interface
to work with
containers (Docker,
Podman) and
Kubernetes
• Works for
containers, images,
pods, and volumes
• Can connect and
deploy to
Kubernetes
environments
• Build, run, manage
and debug pods and
containers
• Available from
https://github.com/c
ontainers/podman-
desktop

79
|
Lab 5 – Working with Podman
Purpose: In this lab, we'll get a chance to work with Podman, an alternative to Docker that also
includes the abilities to group and work with containers in "pods".

Buildah
• Command line tool for
• Creating container
• from an image
• from scratch
• Creating image
• from Dockerfile
• from command line
• from scripts
• Mount/unmount container's root filesystem
• Use contents of a container's root filesystem as a a
filesystem layer for new image
• Delete container or image
• Rename local container

Buildah commands vs Dockerfile
• Buildah's commands
replicate commands that
can be in a Dockerfile
• Allows for building images
w/wo Dockerfiles
• Can script the building
process
• Does not run as daemon
(fork-exec) and doesn't
need any root privileges

Buildah bud (build using dockerfile - aka "docker build")

Buildah Command Inventory
Command What it does
add Add the contents of a file, URL, or a
directory to the container.
build Build an image using instructions from
Containerfiles or Dockerfiles.
commit Create an image from a working container
config Update image configuration settings.
containers List working containers and base images.
copy Copies the contents of a file, URL, or
directory into a container's working dir.
from Creates a new working container, either
from scratch or using a specified image as a
starting point.
images List images in local storage.
info Display Buildah system information.
inspect Inspects config of container or image.
Command What it does
mount Mount the working container's root
filesystem.
pull Pull an image.
push Push an image from local storage.
rm Removes one or more working
containers.
rmi Removes one or more images.
run Run a command inside of the container.
tag Add an additional name to a local image.
umount Unmount a working container's root file
system.
unshare Launch a command in a user
namespace with modified ID mappings.
version Display the Buildah Version Information

Podman vs Buildah
• Complementary projects
• Both are CLI tools that work with OCI images and
containers
• Podman focuses on commands and functions for
maintaining and modifying OCI images (life-cycle)
• Buildah is targeted for building OCI images
• Podman produces long-lived containers
• Buildah primarily creates intermediate containers
• Podman's "run" command is like Docker's
• Buildah's "run" command is like RUN in a Dockerfile

85
|
Lab 6 – Working with Buildah
Purpose: In this lab, we'll work with the container build and management tool Buildah.

Kaniko
• Open-source tool used to build images w/o root
access
• Images built inside container or Kubernetes cluster
• Executes all commands in userspace
• Supported by Google

Mixing and Matching Tools
• Can tools coexist? Yes
• Devs can use Docker in dev stage and move to
Podman in runtime environments for security,
performance, etc. (as long as all use OCI
compatibility)
• Podman supports docker-compose, but not Swarm

96
That’s all - thanks!
techskillstransformations.com
getskillsnow.com

Containers Demystified

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie Containers Demystified

Ähnlich wie Containers Demystified (20)

Mehr von All Things Open

Mehr von All Things Open (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Containers Demystified