Container exercises
Here are some fun things to try with containers. Work in any order, at your own pace. Ask for help if stuck as usual.
Containerize some app
- That is, write a Containerfile which builds an image with an application packaged - As mentioned, Dockerfile is a Docker-specific Containerfile, they are mostly interchangeable - Containerfile is a vendor-neutral (OCI) name
- Any app you run/want/need to run
- If the app needs to be built (compiled) first, use a separate build stage (mutli-stage builds)
- Write a Containerfile, build it and run the app
- Try working with Volumes (podman-run(1), see -v|–volume) - Volume = a directory mounted from the host into the container to achieve persistence
- Try working with Ports (podman-run(1), see -p|–publish) - Port = allows you to listen on some port on the host - Not really, it’s a hack - Podman starts a program listening on the port on the host for you and injects traffic into the container slirp
Take a look at overlayfs
- (Introduction.)
- This filesystem demonstrates the flexibility of Linux file systems by implementing something very non-traditional
- Podman/Docker use it to implement layers (r/w container FS on top of r/o image FS, image layers, etc.)
- If you’re root, you can mount(8) -t overlayfs directly
- If you’re not root, you can use fuse-overlayfs(1) - FUSE itself is a very interesting thing - “File System in Userspace” - Allows you to implement and mount file systems as non-root user - Via a kernel module (fuse.ko) and a setuid userspace binary (fusermount(1))
Try working with Pods in Podman
- podman-pod(1)
- Pods really are just a collection of containers which share certain namespaces - For example, they share the network namespace by default - This makes sense for “compound” workloads, such as RESTful backend API + database - The containers are still isolated from one another, but to a much lesser extent
- Run whatever makes sense for you particularly
Try to build a container from scratch
- Tutorial
- Use e.g. Alpine Linux root filesystem
- Learn about the various namespaces(7) and how they work
- Learn about cgroups(7)
- Use unshare (or syscalls directly if you dare) to isolate the container from the host - That is, don’t use Podman, it hides too many things from you
- Try to get the container online
Further reading
- If you’re interested in containers, take a look at “Podman In Action” by D. Walsh (Manning, 2023).
- Good book, easy to read
- Covers history (Docker vs. Podman), basics, namespaces, etc.