How Docker Works - Intro to Namespaces
Вставка
- Опубліковано 8 тра 2024
- Let's figure out how Docker works! We will investigate docker by tracing the syscalls to find the Linux Kernel feature called Namespaces. We also learn about the different ones like process id, network or mount namespaces.
docker → dockerd → containerd → runC → unshare syscall
Part 1: • Introduction to Docker...
LWN Article: lwn.net/Articles/531114/
Docker Example: github.com/LiveOverflow/pwn_d...
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Website: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
Internals always fascinates me.
you should make a playlist of cool internals, and share it with me :)
Jack the ripper was fascinated as well.
I swear
@@harelr5041 where is that? I soooooo have to watch that
So many videos on internet but this will have a special place amongst all of them since none of them deep dive with such clarity. I finally understand the magic behind docker and more confident in using it. Thank you very much!
"docker is just a fancy interface around this unshare (system call) namespace feature (of the linux kernel)."
This video is amazing, thanks
Great video! The effort put into nifty graphics, scripting, editing and overall quality is *IMMENSELY* appreciated. Most videos on topics like this are just one take (with a bad microphone to boot). Videos like this make containers more accessible and understandable, especially for inexperienced users. You got yourself a new sub!
This is what I call a high quality content. Very valuable. Thanks for putting in so much effort to create this.
Excellent video! there are a lot of videos on docker out there but none come close to explaining the internals like you do! Thank you so much!
Great video! I am currently also working with docker and in the beginning had the same problem that I lost overview. Your video shows in a very good way what an important role the namespaces play in this process! Thanks a lot for that!
Great job on going into the lower level stuff behind the containers. You truly have a gift!
Great video! Worked a lot with docker lately, yet I haven't really done some digging into how it works. I like your thought process and your problem solving abilities. Thank you for yet another amazing video!
One of your best videos ever, congrats! Sweet spot when explaining Docker internals. I just shared with my coworkers. Thanks.
Really liked how you demonstrated your search inside the docs; it really demystifies the process for novice programmers.
Really one of your best videos on how internals work. These things always fascinates me.
Just wanna say absolutely love the big red arrow which forces me to read along with you and not ahead or before like one would with subtitles!
This is what I want to see when I search for something. I wish more people would dive deep into things like you do in this video.
Great stuff, namespaces are a really cool feature and it's worth an awesome explanation by one of today's greatest processes.
Thank you so much!! Your tips to analyse what's going on inside are priceless.
this must be the most information i got about the difference between Docker and VMs! many thanks!
Finally! A tutorial about Docker!!! We always use Docker at work to manage our apps in production, so this will be surely interesting
Mind blowing! I love digging into internals and this video is so well done
One of the best explanation videos I've ever seen on any topic.
Wonderful!!!! Please consider doing a series like this one for the kernel modules book.
Congrats Sr. for this wonderful video explaining the underlying "magic" of the containers which definitely helps to understand better the differences between VM and containers and what does it mean in terms of performance etc. Just for curiosity I checked the wikipedia and the "namespaces" feature was introduced in 2002 in the Linux kernel (inspired by a wider namespaces feature from Bell-Labs's Plan9 OS). It's amazing to see how could a "good feature " can create so much around after almost 20 years :D
dat zoom at 1:32 🤣
3:48 🤣🤣 exactly how I feel about those kinds of descriptions
I love this video. Really appreciate the efforts you put in to making these amazing quality videos ♥️
This video was awesome. Thank you for teaching this in such a clear way.
thats literally what i wanted to learn a few days ago! thanks =D
perfect pacing, a real pleasure to learn from this
Thank you for the clear and deep explanation!
Incredible! You really have a great skill to make these things seem so simple to understand. Hats off and thanks a ton ;)
bhai bhai
I usually don't understand much of what you say in your videos, but I think in this one stuff are clearer.
I've been using containers daliy for years at my work, still this was really cool, and informative even for me, thanks
This is such well made, and well explained video! awesome, thanks so much!
Best and detailed explanation. Thankyou for making this.
The BEST video I have ever seen on Docker.
I spent hours researching this specific thing the other day, mostly comparing "containers" to FreeBSD Jails. It's so hard to find useful information wading through all the devops marketing nonsense. Thank you for taking an interest in this topic and sharing your research process.
Amazing video. Super informative and easy to understand. Thanks!
Thank you for this amazing video, it was great to solidify what I am studying!
Wow this is illuminating! Thank you for making this !
What a great video - I am not the most advanced linux user but this makes perfect sense to me now
Digging into internals is always an interesting to me, but quite time consuming and easy getting frustrated though. (smile with sweat).
Great video :)
This video was MAGNIFICENT!! Thank you a lot!
Thanks! Great look behind the scenes
thank you very much this is incredibly informative and answered all my questions, thank you again!
I always thought Docker was magic, thx so much for the video!
(also can we just take a moment for the cute as heck hand-drawn Docker logo?)
absolutely love this explanation!!
I immediately subscribed to your channel as soon as I saw this video. ty for content like this.
VIM has pretty good strace highlighting :) Great videos as always.
please please please make more videos like this. This is invaluable information.
Love your videos and their style. Thanks!
Great explanation!
the best docker explanation.
Absolutely Flawless! Thanks a ton
Had to learn these things the hard way while doing some container escape CTF, this video would have been a very solid starting point. Thank you so much for the effort you put on this, I know the lots of docs you had to review to explain this way.
Definitely enjoy this topic!
Just awesome explanation !
Very informative, thanks for the awesome video!
Nicely explained ❤
Fascinating content, thanks!
awesome explanation! Thanks so much.
Great explanation! 👍
Wow what a clear explanation!
Perfect timing! A few hours ago I was thinking of finding some resources to learn Docker xD Right on time!
lul
Hehe, i started fiddling with docker too a few days ago ^^ nice video lifeoverflow 👍
well you don't learn docker in that sense, you learn on what docker is based (and why there are many alternatives, doing basically the same)
Woow!! What an explanation, Thanks for expalining this in a fascinating way, and whoever dislikes this video, shame on you.
Awesome ! Love that arrows 👍
Awesome intro to namespaces with containerd and runc calls. Could we have a video on cgroups and seccomp as well to cover the security aspects od Docker containers
A container/namespace is essentially a pocket dimension. You have the main universe or dimension (your computer), but then you can create a dimension within it that can be seen from the main one, but not vice versa.
Congrats on repeating what he said in the video
mah lawd this is comprehensive.... best docker internals overview!
such an amazing video. Good job.
This is fantastic info., thanks for sharing.
This really clears it up for me. I just started looking into what a docer is and how it differs from a VM and I started reading about namespaces and I was like "What!??"
This is the best explanation what is the difference between Vm and container.
Thanks a lot
Thanks for sharing. Very good video.
Excellent video, thanks.
This video is straight fire!!
Yay! New video. Thanks
Learned a lot from this video!!!!!!!
Amazing tutorial video
. Ich müsste mit Docker während ein Projekt im Master arbeiten, bisher könnte ich das Untershied zwischen Docker und VMs nicht verstehen. jetzt es ist Klar für mich, Vielen Dank für die einfachee Erklärung :D
schönen Tag noch!
Thanks for sharing this! You helped me so much..
bruh
@@luqmansen wadaw ke gap 🏃
Thanks, excellent content
Great video, thank you! Subscribed :)
Amazing explanation of a ridiculously complex system
This is awesome
excellent! 🎉
i know this channel is related to CTF and hacking but can you please also make more videos like these on software, which we just take it for granted and never try to understand the software from the actual process/syscall level.
Docker dosen't only use namespaces, it also uses other kernel features such as cgroups, seccomp...
damn, that was such a good explanation!
Best way to learn Linux !
Aside from being an unbelievably good informational video... This shit is funny too... Subscribed
Awesome!
Another video which I ll not understand but watch till the end.
You're a pro.
Good video 👍
It's very nice explanation, because so far I just think container is like vm, but in lo level it's look different..
it is incroyable, thank you
You can check the differents namespaces by using the lsns command, inside one container and in the host
Brother , you know if you explain all the documentation existed like this , every damn dev will watch all the videos 😅 its less boring then reading huge docs ♥
Can you make a video on the stuff NOT to do and how to prevent leaks to the host system?
welp, depending on who you ask docker is not a security system
@@User-md3ul No it is not, but there are ways to harden it and thus creating layered security. So in a sense, it is and it isn't.
Try running bash code ":(){ :|:& };:" in docker container (on linux host) - have fun
@@eugenej.5584 I think I'm gonna pass on that one 😂😂😂 doesn't look to me that it's a valid command but you never know 🤔
@@Stoney_Eagle it's a fork bomb.
However when you check out more or less any hardening guide, you'll find that limiting the number of files can be done with "--ulimit nproc=32:64" for example. Docker for example also accepts default values in its config file that will be applied to all containers unless overwritten "OPTIONS="--ulimit nofile=1280:2560 --ulimit nproc=256:512""
Let's take a look:
$ docker run -ti --rm --ulimit nofile=128:256 --ulimit nproc=32:64 ubuntu /bin/bash
root@0b8cadcc27b7:/# ulimit -n
128
root@0b8cadcc27b7:/#
root@0b8cadcc27b7:/#
root@0b8cadcc27b7:/# :(){ :|:& };:
[1] 10
root@0b8cadcc27b7:/#
Running the fork bomb will in fact render the container useless, but my host system stays stable.
$ lsof | awk '{print $1}' | sort | uniq -c | sort -r | head | grep dock
262 com.docker
That's our expected limit and some overhead that's existing on MacOS
Try podman. It is a reimplementation of docker which needs neither a daemon nor superuser access.
Oh my... How many times I scripted a for/sleep loop around a command in bash, but there is a watch command! 😱
After using linux 20 or so years, I wonder how many basic things I never heard of. 😂