COV882: Resource Virtualization With Containers
I semester: 2022-23
Class Timings: Tu: 6:00-7:15PM and Th: 6:30-7:45PM. (The course will begin from October 11th)
Room: SIT 006
This course will provide an introduction to Linux containers, which isolate different system resources.
It will provide a hands-on experience with the Linux infrastructure used for creating containers, provision
containers with different resource requirements, and operate them in privileged and non-privileged
settings. The overall goal is to develop a deeper knowledge of Linux system calls and appreciation
of systems concepts of isolation and file layering. We will also examine alternative isolation (e.g., chroot, seccomp, ebpf)
and file layering approaches.
Textbooks and notes
- Michael Kerrisk, The Linux Programming Interface: A Linux and UNIX System Programming Handbook. No Starch Press; 1st edition.
TLPI ISBN-13: 978-1593272203
The material to be covered in this course is divided into 5 lectures of 2.5 hours per week followed by an exam.
A lecture overview is provided.
If there is interest, additional units may be covered*.
- Reading: TLPI 2.1, 2.7, 3.1, 3.2, 4.1-4.8.
- Topics: Introduction: Difference between abstraction vs virtualization. Difference between virtualization and containers.
The Linux user vs kernel mode. System calls and errors. Quick review of some system calls via an example.
- Reading: TLPI 2.4, 18.1, 18.2, 38.1, 38.2, 39.1-39.3
- Topics: Resource protection. Permissions, Principle of Privilege. Privileged process. Acquiring Privileges.
User and Group IDs. Setuid bit. The chroot jail. Breaking the jail via symbolic and hard links.
- Reading: TLPI 28.2-4. LWN Namespace Part1-6
- Topics: Namespaces. System calls for namespace management: clone, setns, unshare. Different types of namespaces. Examples. Orphans and Zombies. Nested namespaces.
- U3-PID Namespace
- U3-User Namespace
- Reading: TLPI 14.7-9. LWN Namespace series: Part 8-9
- Topics: Storage in containers. Mount Namespaces. Shared subtrees. Bindable Vs unbindable mounts. Union mounts. Layering in Docker. Pivoting root vs chrooting. A bare bones container.
- U4-MNT Namespace
- U4-MNT Namespace
* If a student is interested, the instructor will also carry out small projects with them.
Homeworks must be accomplished on VMs allocated via Baadal. Please request a VM on Baadal. The VM details and supervisor id is shared via the course mailing list.
- Operating Systems.
- Programming skill. Comfortable with C and GDB. High comfort level with basic UNIX/Linux