Container exercises

Here are some fun things to try with containers. Work in any order, at your own pace. Ask for help if stuck as usual.

Containerize some app

• That is, write a Containerfile which builds an image with an application packaged - As mentioned, Dockerfile is a Docker-specific Containerfile, they are mostly interchangeable - Containerfile is a vendor-neutral (OCI) name
• Any app you run/want/need to run
• If the app needs to be built (compiled) first, use a separate build stage (mutli-stage builds)
• Write a Containerfile, build it and run the app
• Try working with Volumes (podman-run(1), see -v|–volume) - Volume = a directory mounted from the host into the container to achieve persistence
• Try working with Ports (podman-run(1), see -p|–publish) - Port = allows you to listen on some port on the host - Not really, it’s a hack - Podman starts a program listening on the port on the host for you and injects traffic into the container slirp

Take a look at overlayfs

• (Introduction.)
• This filesystem demonstrates the flexibility of Linux file systems by implementing something very non-traditional
• Podman/Docker use it to implement layers (r/w container FS on top of r/o image FS, image layers, etc.)
• If you’re root, you can mount(8) -t overlayfs directly
• If you’re not root, you can use fuse-overlayfs(1) - FUSE itself is a very interesting thing - “File System in Userspace” - Allows you to implement and mount file systems as non-root user - Via a kernel module (fuse.ko) and a setuid userspace binary (fusermount(1))

Try working with Pods in Podman

• podman-pod(1)
• Pods really are just a collection of containers which share certain namespaces - For example, they share the network namespace by default - This makes sense for “compound” workloads, such as RESTful backend API + database - The containers are still isolated from one another, but to a much lesser extent
• Run whatever makes sense for you particularly

Try to build a container from scratch

• Tutorial
• Use e.g. Alpine Linux root filesystem
• Learn about the various namespaces(7) and how they work
• Learn about cgroups(7)
• Use unshare (or syscalls directly if you dare) to isolate the container from the host - That is, don’t use Podman, it hides too many things from you
• Try to get the container online

Further reading

• If you’re interested in containers, take a look at “Podman In Action” by D. Walsh (Manning, 2023).
• Good book, easy to read
• Covers history (Docker vs. Podman), basics, namespaces, etc.