UnionFS on H&W https://yy-tech.online/tags/unionfs/ Recent content in UnionFS on H&W Hugo en Thu, 28 May 2026 00:53:02 +0800 [Docker] Container Internals https://yy-tech.online/post/docker-container-study/ Mon, 02 Sep 2019 23:03:48 +0800 https://yy-tech.online/post/docker-container-study/ <h2 id="slides">Slides</h2> <ul> <li><a href="https://yy-tech.online/images/tom.key"><strong>Team sharing deck</strong></a></li> </ul> <h2 id="container-building-blocks">Container building blocks</h2> <ul> <li><code>namespace</code></li> <li>Linux <strong>control groups</strong> (cgroups)</li> <li><strong>UnionFS</strong></li> <li><strong>veth</strong></li> </ul> <h3 id="what-a-container-should-provide">What a container should provide</h3> <ul> <li><strong>Filesystem isolation</strong> — e.g. <code>chroot</code> to change the root mount</li> <li><strong>Network isolation</strong> — for distributed apps: own IP, ports, routes; <strong>veth</strong> pairs so each container has its own netdev, IP, routing table, <code>/proc/net</code>, ports. Multiple containers on one host can each bind port 80 inside their own network namespace</li> <li><strong>Hostname</strong> — UTS namespace for identity on the network</li> <li><strong>IPC</strong> — separate System V IPC and POSIX message queues; only processes in the same IPC namespace can talk to each other</li> <li><strong>User IDs</strong> — in a user namespace, UID/GID can differ from the host; an unprivileged host user can be “root” inside the container</li> </ul> <h3 id="main-pieces">Main pieces</h3> <table> <thead> <tr> <th>Piece</th> <th>Details</th> </tr> </thead> <tbody> <tr> <td><strong>namespace</strong></td> <td>UTS, IPC, PID, NETWORK, MOUNT, USER</td> </tr> <tr> <td><strong>cgroup</strong></td> <td>CPU, memory, blkio, devices, …</td> </tr> <tr> <td><strong>UnionFS</strong></td> <td>aufs (Ubuntu), btrfs (SUSE), vfs, devicemapper (CentOS), <strong>overlay2</strong> (CentOS/Ubuntu)</td> </tr> <tr> <td><strong>veth</strong></td> <td>Docker network modes: bridge, host, container, none</td> </tr> </tbody> </table> <h3 id="how-containers-are-implemented">How containers are implemented</h3> <p>A container is essentially a <strong>special process</strong> created with <code>clone(2)</code>:</p>