Here's a preview from my zine, How Containers Work!! If you want to see more comics like this, sign up for my saturday comics newsletter or browse more comics!
read the transcript!
a container image is a tarball of a filesystem
(or several tarballs: 1 per layer)
pensive stick figure with short curly hair: if someone sends me a tarball of their filesystem, how do I use that though?
chroot: change a process’s root directory
If you chroot to /fake/root when it opens the file /usr/bin/redis it’ll get /fake/root/usr/bin/redis instead.
You can “run” a container just by using chroot, like this:
$ mkdir redis; cd redis
$ tar -xzf redis. tar
$ chroot $PWD /usr/bin/redis
# done ! redis is running!
programs can break out of a chroot
chroot:
Illustration of a box labelled “whole filesystem”. Inside it is another box labelled “redis container directory”.
All these files are still there! A root process can access them if it wants.
pivot_root
Illustration of a box labelled “redis container directory”.
You can unmount the old filesystem so it’s impossible to access it.
Containers use pivot_root instead of chroot.
to have a “container” you need more than pivot_root
pivot_root alone won’t let you: - set CPU/memory limits - hide other running processes - use the same port as another process - restrict dangerous system calls
Saturday Morning Comics!
Want another comic like this in your email every Saturday? Sign up here!
