Containers for fun and no profit!

by Gargi Sharma
github.com/gs0510   

Follow the slides: tiny.cc/fun-containers

About me!

  • Tarides - Software Engineer
  • Recurse Center - Spring 1, 2019
  • BangBangCon West - Co-Organiser

What even is a systems programming language?

1970s:Improving on Assembly

"A system program is
an integrated set of
subprograms
...
exceeding some
threshold of size
and/or complexity.
"

Systems Programming Languages
(Bergeron et al. 1972)

1970s:

  • The system program is likely to be used to support other software programs.

  • It is designed for continued “production” use rather than a one-shot solution to a single applications problem.

1970s:

A language which can be used without undue concern for bit twiddling.

Credit: Systems Programming (Donovan 1972)

1990s:Rise of Scripting languages

1990s:

Rise of Scripting languages

  • Bash, languages like Perl, Python, Ruby, Javascript etc. worked their way into the mainstream.
  • Systems programming languages designed to build more primitive computer elements.
  • Scripting languages are designed for gluing.

2010s:Boundaries Blur

2010s:

Boundaries Blur

  • Dropbox was able to build surprisingly large and scalable systems on just Python.
  • Javascript is used to render real-time, complex UIs in billions of web pages.
  • Gradual typing has gained steam in Javascript, Python, etc. enabling a transition from “prototype” code to “production” code.

What is a systems programming language today?

Where does Rust shine?

Systems programming is
programming where
you spend more time reading man pages than reading the internet.

- Kamal Mahrubi

Writing our own container!

What even is a container?

Containers are processes born from tarballs anchored to namespaces controlled by cgroups.

Deconstructing the container:

  • chroot
  • namespaces
  • cgroups

chroot

    Change the root directory for the current process and its children for isolation.

HOW TO CHROOT?


          chroot("bind_new_root");
          env::set_current_dir("/").expect("chrdir failed");
        
        

namespaces

  • Namespaces determine what a process can see.
  • Multiple namespaces: pid, net, uts, ipc, user, mnt

namespaces

  • Creating namespaces:
    • clone() syscall
  • A namespace is destroyed once the last process in a namespace leaves.
  • Enter a namespace:
    • setns() syscall

How to create a namespace?


  nix::sched::unshare(CloneFlags::CLONE_NEWUTS | 
                      CloneFlags::CLONE_NEWPID |
                      CloneFlags::CLONE_NEWNS)
                      .expect("Unshare failed.");
        

cgroups

  • Allow processes to be organized into hierarchical groups.
    • The resources and usage of these groups can be limited.
  • Implemented through a pseudo filesystem called cgroupfs.

cgroups

  • Subgroups inherit the limits set on the parent group.
  • A process can be a part of only one cgroup.
  • A subsystem controls each resource, e.g. the memory subsystem controls the memory use.

CGROUPS


          let mut cgroups = PathBuf::from("/sys/fs/cgroup/");

          let pid_max = cgroups.join();
          fs::write(pid_max, "20".as_bytes());
        

Conclusion 😊

Thank you!

Resources

  1. The Container Operator's Manual - Alice Goldfuss
  2. Rust implementation of glibc
  3. System call table for Linux x86
  4. What is systems programming really?
  5. Scripting: Higher Level Programming for the 21st Century
  6. Slide theme from @jlengstorf
  7. Containers from scratch - Liz Rice
  8. What even is a Container?