Download as PDF, PPTX
Uploaded byTomas Doran
Dockersh and a brief intro to the docker internals
The document discusses the use of Docker containers for providing persistent SSH sessions to multiple users, highlighting the benefits of containers over virtual machines in terms of resource efficiency and isolation. It introduces concepts like namespaces, capabilities, and cgroups for managing resources and security within containers. The document also touches upon potential improvements and includes links to further resources and job opportunities at Yelp.
More Related Content
Similar to Dockersh and a brief intro to the docker internals
![Computer Networks 01[1 using all terms].pptx](https://cdn.slidesharecdn.com/ss_thumbnails/computernetworks011-251214040533-327dd9f8-thumbnail.jpg?width=640&height=640&fit=bounds)
Dockersh and a brief intro to the docker internals
- 1. dockersh Tomas Doran @bobtfish 2014-‐10-‐14
- 2.
- 3. Shared (personal) bouncehost • Multiple users • Persistent ssh sessions • ‘Playground’ • Fair split of resources? • Isolation? Security? 3
- 4. VMs are expensive • 12 tmux sessions vs • 12 Virtual machines 4
- 5. Containers are cheap • Container as lightweight VM • One persistent container per user • /home/myuser from host • /etc/passwd from host • Let the user supply own container? • sshd per container = 1 port per user 5
- 6. Containers are cheap • Container as lightweight VM • One persistent container per user • /home/myuser from host • /etc/passwd from host • Let the user supply own container? • sshd per container = 1 port per user 6
- 7. Containers are cheap • One persistent container per user • Even let the user supply the container • sshd per container = 1 port per user • Container as lightweight VM? • Need to edit ~/.ssh/config 7
- 8. Can we dobetter? 8
- 9. nsenter • Execa process in an existing namespace • Debug running containers as root 9
- 10. nsenter • Execa process in an existing namespace • Debug running containers as root 10
- 11.
- 12.
- 13. What’s a Dockercontainer? cat /var/lib/docker/execdriver/native/ d910d20082fed3763b377a2d46e30da5def9fdd7863a0642ea154er.json | jq . 13
- 14.
- 15. Capabilities • Pluggablein Docker 1.2.0 • —drop_cap • Scary default capabilities: • SUID • SGID • MKNOD 15
- 16. cgroups • Memorygroups • CPU groups • IO groups 16
- 17.
- 18.
- 19.
- 20.
- 21.
- 22. Namespaces • Percontainer separation • UTS - hostnames • IPC - sysvipc • PID - processes • NET - network 22
- 23. PID Namespaces Frominside 23
- 24. PID Namespaces Fromoutside 24
- 25. NET Namespace •Per container IP stack • Bandwidth limits per container 25
- 26.
- 27. Todo • Ptys • scp • Better agent forwarding 27
- 28. Thanks! • We’rehiring! http://www.yelp.co.uk/careers?jvi=ogVTXfwL • https://github.com/Yelp/dockersh • http://engineeringblog.yelp.com/2014/08/ hack209-dockersh.html 28