History of Linux Container

What is container?

Container is an operating system level virtualization which allow to package applications and their dependencies and run them in a isolated environments. containers are branch of host operating system, and they share the host operating system's kernel and system libraries to complete their tasks.

Container’s history

In 1979 during the development of Unix V7 one new name chroot (change root) system call was introduced. it’s an Unix operating-system system call for changing the root directory of a process and it's children to a new location in the filesystem which is only visible to a given process. It was a beginning a process isolation: isolated disk space for each process or segregating file access for each process.

What is Chroot?

A chroot (change root) is a Unix/Linux operation which isolate the process and its children from the rest of the system. The process gets a new, virtual, root directory to establish path visibility. This is mainly a convenient and simple way to control what files and libraries can be referenced by the process.

Any process which run after a chroot operation only has access to the newly defined root directory and its subdirectories. This operation is commonly known as a chroot jail since these processes cannot read or write outside the new root directory.

How to use chroot jail?

Chroot is Unix/Linux OS system call which can run using sh/bash shell and system libraries (with a minimum requirement). We will use Ubuntu 20.04.3 LTS x86_64 for testing the chroot container jail.

To run a functional chroot environment in Linux, the virtual file systems and configuration/libraries files also must be mounted/copied from host to chroot.

Switch to root user. $ sudo su - Create a container directory where the container code will run. # mkdir container_test Copy usr and etc files in container directory. # cp -rf /usr container_test # cp -rf /etc container_test Switch to your container directory and create soft link for your bin, sbin and lib. # cd container_test # ln -s usr/bin bin # ln -s usr/sbin sbin # ln -s usr/lib lib # ln -s usr/lib32 lib32 # ln -s usr/lib64 lib64 Create some more directory inside the container directory. # mkdir dev home proc run sys var root tmp Give full permission to tmp directory. # chmod 777 tmp Copy /var/lib to var directory and create one more cache directory inside var. # cp -rf /var/lib var/ # mkdir var/cache var/log # cd .. Use the chroot command to change the root to the container_test directory. # chroot container_test/ /bin/bash Now mount Kernel Virtual File Systems to run your processes and work your other command without any issues. # mount -t proc proc /proc # mount -t sysfs sysfs /sys # mount -t devtmpfs devtmpfs /dev # mount -t tmpfs tmpfs /dev/shm # mount -t devpts devpts /dev/pts

Now your chroot jail container is ready to work. Try to install nginx to check if you can install it in the chroot jail.

# apt install nginx

Note: if you getting error "E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?", then run below command.

# exit # rm container_test/etc/resolv.conf # cp  /run/systemd/resolve/stub-resolv.conf container_test/etc/resolv.conf # chroot container_test/ /bin/bash # apt install nginx

 Start nginx and test if are able to connect web page from CLI.

Start nginx web server daemon after nginx installation completed. # nginx Now check if you are able to do wget to your web server. # wget http://127.0.0.1 After testing is completed, stop the nginx process in the chroot jail. # killall nginx Unmount Kernel Virtual File Systems in chroot jail to safely exit from chroot jail. # umount /dev/pts # umount /dev/shm # umount /dev # umount /sys # umount /proc Exit from chroot jail. # exit

Control Groups

After a lots of development in Linux containers since 1979 to 2006, in 2006, engineers at Google announced their launch of process containers designed for isolating and limiting the resource usage of a process. In late 2007, It was renamed to "control groups" to avoid confusion caused by multiple meanings of the term container.

Cgroups allow processes to be grouped together, and ensure that each group gets a share of memory, CPU and disk I/O; preventing any one container from monopolizing any of these resources.

A new container age LXC started after cgroups were merged into Linux kernel 2.6.24 in 2008. LXC stands for Linux Containers and provides virtualization at the operating system level by allowing multiple isolated Linux environments (containers) to run on a shared Linux kernel. Each one of these containers has its own process and network space.

Docker

Till now (2022) docker is the most popular and widely used container management system. Docker was released as an open-source project in 2013. Docker provided the ability to package containers so that they could be moved from one environment to another.

docker also used lxc at the initial stages and later replaced lxc with it’s own library called libcontainer, which enabled containers to work with Linux namespaces, libcontainer control groups, capabilities, AppArmor security profiles, network interfaces, and firewall rules.