Containerization
Containerization
Containerization packages applications in isolated, lightweight environments (containers) that share the host Kernel.
- This improves portability and scalability compared to full virtual machines #vm
- The isolation comes from OS kernel features, not a separate guest OS
- Containerization is an OS-agnostic concept; Linux implements it with specific kernel facilities
Why Containers
Consistent runtime across environments Fast startup and low overhead Easier scaling and microservice deployment Better isolation than running directly on the host (but less than VMs)
Kernel Building Blocks
Linux/Containerization/Namespaces
Isolate views of global system resources (PID, NET, MNT, UTS, IPC, USER, CGROUP).
Linux/Containerization/Cgroups
Control and account for resource usage (CPU, memory, I/O, PIDs).
Linux/Containerization/Capabilities
Split root privileges into fine-grained permissions (e.g., CAP_NET_ADMIN, CAP_SYS_ADMIN).
Linux/Containerization/Seccomp
Restrict allowed syscalls per container to reduce attack surface.
Linux/Containerization/LSM
Mandatory access controls via Linux/Security/AppArmor or Linux/Security/SELinux to confine processes.
Linux/Containerization/OverlayFS
Union/overlay filesystems enable image layering and copy-on-write.
Linux/Containerization/VirtualNetworking
Virtual interfaces (veth), bridges, and netfilter/iptables provide isolated networking.
Docker
Docker is a platform for building and running containers using layered images and a simple CLI.
Dockerfile Example
FROM ubuntu:22.04
RUN apt-get update && \
apt-get install -y \
apache2 \
openssh-server \
&& \
rm -rf /var/lib/apt/lists/*
RUN useradd -m docker-user && \
echo "docker-user:password" | chpasswd
RUN chown -R docker-user:docker-user /var/www/html && \
chown -R docker-user:docker-user /var/run/apache2 && \
chown -R docker-user:docker-user /var/log/apache2 && \
chown -R docker-user:docker-user /var/lock/apache2 && \
usermod -aG sudo docker-user && \
echo "docker-user ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
EXPOSE 22 80
CMD service ssh start && /usr/sbin/apache2ctl -D FOREGROUND
Build and Run
$ docker build -t FS_docker .
$ docker run -p 8022:22 -p 8080:80 -d FS_docker
Common Docker Commands
| Command | Description |
|---|---|
docker ps |
List running containers |
docker stop |
Stop a container |
docker start |
Start a container |
docker restart |
Restart a container |
docker rm |
Remove a container |
docker rmi |
Remove an image |
docker logs |
View container logs |
Linux Containers (LXC)
LXC provides system-level containers using cgroups and namespaces. Containers share the host kernel but run in isolated environments. Docker is application-focused and highly portable; LXC is more system-level and often requires more manual configuration.
Install LXC
$ sudo apt install lxc -y
Create a Container
$ sudo lxc-create -n Linuxcontainer -t ubuntu
Manage LXC
| Command | Description |
|---|---|
lxc-ls |
List containers |
lxc-stop -n <container> |
Stop a container |
lxc-start -n <container> |
Start a container |
lxc-restart -n <container> |
Restart a container |
lxc-config -n <container> -s storage |
Manage storage |
lxc-config -n <container> -s network |
Manage network |
lxc-config -n <container> -s security |
Manage security |
lxc-attach -n <container> |
Attach to a container |
lxc-attach -n <container> -f /path/to/share |
Attach with a shared path |
Securing LXC (Cgroups Example)
Limit CPU and memory via container config:
lxc.cgroup.cpu.shares = 512
lxc.cgroup.memory.limit_in_bytes = 512M
Apply changes by restarting the service:
$ sudo systemctl restart lxc.service