COV882: Resource Virtualization With Containers

I semester: 2022-23

Tanu Malik

Class Timings: Tu: 6:00-7:15PM and Th: 6:30-7:45PM. (The course will begin from October 11^th)
Room: SIT 006

Overview

This course will provide an introduction to Linux containers, which isolate different system resources. It will provide a hands-on experience with the Linux infrastructure used for creating containers, provision containers with different resource requirements, and operate them in privileged and non-privileged settings. The overall goal is to develop a deeper knowledge of Linux system calls and appreciation of systems concepts of isolation and file layering. We will also examine alternative isolation (e.g., chroot, seccomp, ebpf) and file layering approaches.

Textbooks and notes

Michael Kerrisk, The Linux Programming Interface: A Linux and UNIX System Programming Handbook. No Starch Press; 1st edition. TLPI ISBN-13: 978-1593272203

Lecture Schedule

The material to be covered in this course is divided into 5 lectures of 2.5 hours per week followed by an exam. A lecture overview is provided.
If there is interest, additional units may be covered^*.

Unit 1

Reading: TLPI 2.1, 2.7, 3.1, 3.2, 4.1-4.8.
Topics: Introduction: Difference between abstraction vs virtualization. Difference between virtualization and containers. The Linux user vs kernel mode. System calls and errors. Quick review of some system calls via an example.
U1-Intro
U1-Syscalls
U1-Programs
HW1

Unit 2

Reading: TLPI 2.4, 18.1, 18.2, 38.1, 38.2, 39.1-39.3
Topics: Resource protection. Permissions, Principle of Privilege. Privileged process. Acquiring Privileges. User and Group IDs. Setuid bit. The chroot jail. Breaking the jail via symbolic and hard links.
U2-Isolation
U2-Previleges
U2-Programs
HW2

Unit 3

Reading: TLPI 28.2-4. LWN Namespace Part1-6
Topics: Namespaces. System calls for namespace management: clone, setns, unshare. Different types of namespaces. Examples. Orphans and Zombies. Nested namespaces.
U3-PID Namespace
U3-User Namespace
U3-Programs
HW3

Unit 4

Reading: TLPI 14.7-9. LWN Namespace series: Part 8-9
Topics: Storage in containers. Mount Namespaces. Shared subtrees. Bindable Vs unbindable mounts. Union mounts. Layering in Docker. Pivoting root vs chrooting. A bare bones container.
U4-MNT Namespace
U4-MNT Namespace
U4-Programs
HW4

Unit 5

Reading: LWN Namespace series: Part 7. TLPI Appendix A.
Topics: Network and IPC Namespaces. Other isolation methods. Use of containers for research.
U5-NET Namespace and CGroups
U5-Advanced Isolation
U5-Programs
HW5

^* If a student is interested, the instructor will also carry out small projects with them.

Homeworks

Homeworks must be accomplished on VMs allocated via Baadal. Please request a VM on Baadal. The VM details and supervisor id is shared via the course mailing list.

Prerequisites

Operating Systems.
Programming skill. Comfortable with C and GDB. High comfort level with basic UNIX/Linux shell commands.

Evaluation

Homework: 50%
Exam: 50%

Tanu Malik