mincs
play

MINCS - The Container in the Shell (script) - Masami Hiramatsu - PowerPoint PPT Presentation

Jan 08, 2024 •421 likes •911 views

MINCS - The Container in the Shell (script) - Masami Hiramatsu <masami.hiramatsu@linaro.org> Tech Lead, Linaro Ltd. Open Source Summit Japan 2017 LEADING COLLABORATION IN THE ARM ECOSYSTEM Who am I... Masami Hiramatsu - Linux

  1. MINCS - The Container in the Shell (script) - Masami Hiramatsu <masami.hiramatsu@linaro.org> Tech Lead, Linaro Ltd. Open Source Summit Japan 2017 LEADING COLLABORATION IN THE ARM ECOSYSTEM

  2. Who am I... Masami Hiramatsu - Linux kernel kprobes maintainer - Working for Linaro as a Tech Lead LEADING COLLABORATION IN THE ARM ECOSYSTEM

  3. Demo # minc top # minc -r /opt/debian/x86_64 # minc -r /opt/debian/arm64 --arch arm64 LEADING COLLABORATION IN THE ARM ECOSYSTEM

  4. What Is MINCS? My Personal Fun Project to learn how linux containers work :-) LEADING COLLABORATION IN THE ARM ECOSYSTEM

  5. What Is MINCS? Mini Container Shell Scripts (pronounced ‘minks’) - Container engine implementation using POSIX shell scripts - It is small (~60KB, ~2KLOC) (~20KB in minimum) - It can run on busybox - No architecture dependency (* except for qemu/um mode) - No need for special binaries (* except for libcap, just for capsh --exec) - Main Features - Namespaces (Mount, PID, User, UTS, Net*) - Cgroups (CPU, Memory) - Capabilities - Overlay filesystem - Qemu cross-arch/system emulation - User-mode-linux - Image importing from dockerhub And all are done by CLI commands :-) LEADING COLLABORATION IN THE ARM ECOSYSTEM

  6. Why Shell Script? That is my favorite language :-) - Easy to understand for *nix administrators - Just a bunch of commands - Easy to modify - Good for prototyping - Easy to deploy - No architecture dependencies - Very small - Able to run on busybox (+ libcap is perfect) LEADING COLLABORATION IN THE ARM ECOSYSTEM

  7. MINCS Use-Cases For Learning - Understand how containers work For Development - Prepare isolated (cross-)build environment For Testing - Test new applications in isolated environment - Test new kernel features on qemu using local tools For products? - Maybe good for embedded devices which has small resources LEADING COLLABORATION IN THE ARM ECOSYSTEM

  8. What Is A Linux Container? There are many linux container engines - Docker, LXC, rkt, runc, ... They are using similar/same technologies provided by Linux kernel - Namespace - Cgroups - Capabilities and/or LSM They also need other common techniques - Bind mount - Layered (snapshot) file-system - chroot/pivot_root LEADING COLLABORATION IN THE ARM ECOSYSTEM

  9. MINCS Internal MINCS Design Minc boot process step by step LEADING COLLABORATION IN THE ARM ECOSYSTEM

  10. MINCS Design MINCS has 2 layers - Frontend Tools, parse options and run backend library scripts - Minc - Marten - Polecat Backend Library scripts, do actual work - - Shell scripts start with minc-*, installed under libexec/ Frontends Backends polecat call minc-cage minc-coat etc... minc minc-leash marten minc-farm LEADING COLLABORATION IN THE ARM ECOSYSTEM

  11. Overview of MINC boot process Minc container takes 5 major steps to boot. 1. Parse parameters and setup working area 2. Setup outside resource limitation 3. Change namespace 4. Preparing new world 5. Dive into the new world LEADING COLLABORATION IN THE ARM ECOSYSTEM

  12. Overview of MINC boot process Minc container takes 5 major steps to boot. minc 1. Parse parameters and setup working area minc-exec 2. Setup outside resource limitation Related scripts minc-cage for each phase 3. Change namespace minc-core 4. Preparing new world minc-coat 5. Dive into the new world minc-leash LEADING COLLABORATION IN THE ARM ECOSYSTEM

  13. Structure: Building Container Like a Parfait! Build it from bottom :) Your application Chroot/Capsh Sysfs & tmpfs Namespace & cgroups procfs Device files Custom bind mount Layered filesystem Pidfile LEADING COLLABORATION IN THE ARM ECOSYSTEM

  14. Code commentary of MINCS Let’s see how minc boot into a container. - Start from simplest case, and see how optional features are enabled. - Not from the code, but from the execution log. $ sudo minc --debug echo “hello mincs” + export MINC_DEBUG=1 + [ 2 -ne 0 ] + cmd=echo + break Comments mostly + TRAPCMD= explain what happens :-) + [ -z ] + : + : Setup temporary working directory for this container + : + [ -z ] + mktemp -d /tmp/minc1505-XXXXXX + export MINC_TMPDIR=/tmp/minc1505-EaRzSD + : + : Trap the program exit and remove the working directory + : LEADING COLLABORATION IN THE ARM ECOSYSTEM

  15. Step 1 Parse parameters and setup temporary working directory as below; + export MINC_DEBUG=1 + [ 2 -ne 0 ] + cmd=echo + break + TRAPCMD= + [ -z ] + : + : Setup temporary working directory for this container + : + [ -z ] Make a directory and + mktemp -d /tmp/minc2798-XXXXXX remove it when exit. + export MINC_TMPDIR=/tmp/minc2798-ZtvWh7 + : + : Trap the program exit and remove the working directory + : + [ 0 -eq 0 ] And call minc-exec as a + TRAPCMD=rm -rf /tmp/minc2798-ZtvWh7 child process + trap rm -rf /tmp/minc2798-ZtvWh7 EXIT + trap INT + /usr/local/libexec/minc-exec echo hello mincs LEADING COLLABORATION IN THE ARM ECOSYSTEM

  16. Step 2 Setup outside resource limitation (normally, minc does nothing.) + : + : Ensure parameters are set + : + test / -a -d /tmp/minc2798-ZtvWh7 + [ ] + TRAPCMD= + IP_NETNS= + [ ] + /usr/local/libexec/minc-cage --prepare 2803 + CAGECMD= + [ ] + : Remove pid file after exit + : Prepare cleanup commands (pid file will be made in phase4) + : + trap INT + trap rm -f /tmp/minc2798-ZtvWh7/pid; EXIT LEADING COLLABORATION IN THE ARM ECOSYSTEM

  17. Step 3 Enter new namespace using “unshare” command + : + : Enter new namespace and execute command Invoke unshare with + : minc-core as a child + UNSHARE_OPT= process + [ ] + unshare -iumpf /usr/local/libexec/minc-core echo hello mincs At this moment, minc and minc-exec will wait for container exit as parent process Fork Unshare minc-exec minc-core & wait & wait (current) Minc (parent) PID=1 in this (grand parent) Cleanup pidfile namespace Cleanup tempdir LEADING COLLABORATION IN THE ARM ECOSYSTEM

  18. Step 4 Biggest part of this process, minc-core does the followings 1. Save PID in pidfile 2. Make a private mount namespace 3. Mount layered filesystem as a new rootfs 4. Setup new rootfs a. Bind user-defined mountpoints b. Prepare device files under /dev c. Prepare special files in /proc d. Prepare sysfs and tmpfs 5. Kick the minc-leash to phase-5 LEADING COLLABORATION IN THE ARM ECOSYSTEM

  19. Step 4 - 1 Save PID in Pidfile Access /proc/self to get self PID of outside of namespace (since $$ is 1) + : + : Get the PID in parent namespace from procfs + : (At this point, we still have the procfs in original namespace) + : + cut -f 4 -d /proc/self/stat Get the PPID of ‘cut’ command + export MINC_PID=2810 == PID of this script + echo 2810 NOTE: Until remounting /proc, original procfs instance is shown in new PID namespace. LEADING COLLABORATION IN THE ARM ECOSYSTEM

  20. Step 4 - 2 Make mount namespace private Mount operation is shared across namespaces by default - --make-rprivate makes it private recursively under given mountpoint + : + : Make current mount namespace private + : + mount --make-rprivate / + : + : Do not update /etc/mtab since the mount is private + : + export LIBMOUNT_MTAB =/proc/mounts LIBMOUNT_MTAB env-var is used for updating mtab file, so it also should be hidden. LEADING COLLABORATION IN THE ARM ECOSYSTEM

  21. Step 4 - 3 Mount Layered Root Filesystem Mount new rootfs under working directory using overlayfs + : Tempdir Rootdir + : Setup overlay rootfs by minc-coat + : + /usr/local/libexec/minc-coat bind /tmp/minc2798-ZtvWh7 / [...] + : + : Make working sub-directories + : RD is mountpoint, UD is for upper layer, WD is working space + : + RD=/tmp/minc2798-ZtvWh7/root Overlayfs requires upper, lower and workdir + UD=/tmp/minc2798-ZtvWh7/storage + WD=/tmp/minc2798-ZtvWh7/work + mkdir -p /tmp/minc2798-ZtvWh7/root /tmp/minc2798-ZtvWh7/storage /tmp/minc2798-ZtvWh7/work + : + : Mount overlayed root directory Mounts given rootfs on tempdir/root + : + mount -t overlay -o upperdir=/tmp/minc2798-ZtvWh7/storage,lowerdir= / ,workdir=/tmp/minc2798-ZtvWh7/work overlayfs /tmp/minc2798-ZtvWh7/root LEADING COLLABORATION IN THE ARM ECOSYSTEM

  22. Step 4 - 4 Setup New Rootfs (1) Setup /dev directory + : + : Prepare root directory + : + RD=/tmp/minc2798-ZtvWh7/root + mkdir -p /tmp/minc2798-ZtvWh7/root/etc /tmp/minc2798-ZtvWh7/root/dev /tmp/minc2798-ZtvWh7/root/sys /tmp/minc2798-ZtvWh7/root/proc [...] + : + : Make a fake /dev directory Mount devpts for hide host pty + : + mount -t tmpfs tmpfs /tmp/minc2798-ZtvWh7/root/dev + mkdir /tmp/minc2798-ZtvWh7/root/dev/pts + [ ] + mount devpts -t devpts -onoexec,nosuid,gid=5,mode=0620,newinstance,ptmxmode=0666 /tmp/minc2798-ZtvWh7/root/dev/pts + ln -s /dev/pts/ptmx /tmp/minc2798-ZtvWh7/root/dev/ptmx + : + : Bind fundamental device files to new /dev + : + bindmounts /dev/console /dev/null /dev/zero /dev/random /dev/urandom LEADING COLLABORATION IN THE ARM ECOSYSTEM

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Samantha Parfait, Indies Guercin and Emily Murdock Supporting Small Businesses Post COVID-19

Samantha Parfait, Indies Guercin and Emily Murdock Supporting Small Businesses Post COVID-19

Project Team: Valiant Visionaries Samantha Parfait, Indies Guercin and Emily Murdock Supporting Small Businesses Post COVID-19 BY: THE VALIANT VISIONARIES SAMANTHA PARFAIT, INDIES GUERCIN, &amp; EMILY MURDOCK OUR TOPIC The American Economy

440 views • 13 slides
Counters and Async Infrastructures Proposal for Code Contribution Guy Sela, Senior Engineer, HPE

Counters and Async Infrastructures Proposal for Code Contribution Guy Sela, Senior Engineer, HPE

Counters and Async Infrastructures Proposal for Code Contribution Guy Sela, Senior Engineer, HPE Who am I ? Senior Engineer at HPE Served as a developer and team leader at the Israeli NSA Developing software since 2004 E-mail:

496 views • 48 slides
Dial C for Cipher Le chiffrement etait presque parfait Thomas Baign` eres Matthieu Finiasz

Dial C for Cipher Le chiffrement etait presque parfait Thomas Baign` eres Matthieu Finiasz

Dial C for Cipher Le chiffrement etait presque parfait Thomas Baign` eres Matthieu Finiasz Selected Areas in Cryptography, 2006 T. Baign` eres, M. Finiasz (EPFL) Dial C for Cipher SAC 2006 1 / 1 A High Overview of C C : { 0 , 1 }

644 views • 41 slides
Querying Probabilistic Information Extraction Daisy Zhe Wang, Michael J. Franklin, Minos

Querying Probabilistic Information Extraction Daisy Zhe Wang, Michael J. Franklin, Minos

Querying Probabilistic Information Extraction Daisy Zhe Wang, Michael J. Franklin, Minos Garofalakis, Joseph M. Hellerstein VLDB, Singapore, 16 th September, 2010 Outline Information Extraction Systems Information Extraction (IE)

324 views • 29 slides
Genode Components Performance Penalty And Challenges FOSDEM Micro-kernel Devroom, 04/02/17

Genode Components Performance Penalty And Challenges FOSDEM Micro-kernel Devroom, 04/02/17

Dual Execution and Comparison For Genode Components Performance Penalty And Challenges FOSDEM Micro-kernel Devroom, 04/02/17 Parfait T okponnon Marc Lobelle mahoukpego.tokponnon@uclouvain.be marc.lobelle@uclouvain.be Outline 2

406 views • 29 slides
Big corporations: Friend, enemy or partner of the vegan movement? Renato Pichler,

Big corporations: Friend, enemy or partner of the vegan movement? Renato Pichler,

The economy: Our enemy? Big corporations: Friend, enemy or partner of the vegan movement? Renato Pichler, Swissveg-President Kurt Schmidinger, Founder Future Food Talk on Nov. 2017 for CARE in Vienna 1 Who we are Renato Pichler

541 views • 15 slides
arXiv:math/0509489v2 [math.AP] 21 Nov 2006 PERTURBATIONS JEAN-MARC BOUCLET AND NIKOLAY TZVETKOV

arXiv:math/0509489v2 [math.AP] 21 Nov 2006 PERTURBATIONS JEAN-MARC BOUCLET AND NIKOLAY TZVETKOV

STRICHARTZ ESTIMATES FOR LONG RANGE arXiv:math/0509489v2 [math.AP] 21 Nov 2006 PERTURBATIONS JEAN-MARC BOUCLET AND NIKOLAY TZVETKOV Abstract. We study local in time Strichartz estimates for the Schr odinger equa- tion associated to long

798 views • 41 slides
Using SMT Solver in Detection of Buffer Overflow Bugs Milena Vujo sevi cJani ci c

Using SMT Solver in Detection of Buffer Overflow Bugs Milena Vujo sevi cJani ci c

Using SMT Solver in Detection of Buffer Overflow Bugs Milena Vujo sevi cJani ci c Faculty of Mathematics, University of Belgrade Studentski trg 16, Belgrade, Serbia www.matf.bg.ac.yu/~milena Second Workshop on Formal and

453 views • 29 slides
Logic, language and the brain Michiel van Lambalgen Cognitive Science Center Amsterdam

Logic, language and the brain Michiel van Lambalgen Cognitive Science Center Amsterdam

Logic, language and the brain Michiel van Lambalgen Cognitive Science Center Amsterdam http://staff.science.uva.nl/michiell Aim and program aim: explain the use of computational logic in cognitive science the domain is language

472 views • 32 slides
CSE 331 Design Patterns 2: Prototype, Factory slides created by Marty Stepp based on materials

CSE 331 Design Patterns 2: Prototype, Factory slides created by Marty Stepp based on materials

CSE 331 Design Patterns 2: Prototype, Factory slides created by Marty Stepp based on materials by M. Ernst, S. Reges, D. Notkin, R. Mercer http://www.cs.washington.edu/331/ 1 Pattern: Prototype An object that serves as a basis for creation

717 views • 25 slides
(Abstract) neural representations of spaces and concepts Neil Burgess Institute of Cognitive

(Abstract) neural representations of spaces and concepts Neil Burgess Institute of Cognitive

UCL NEUROSCIENCE (Abstract) neural representations of spaces and concepts Neil Burgess Institute of Cognitive Neuroscience University College London SWC PhD program, October 2019 Abstract neural representations 1) Frames of reference for

897 views • 53 slides
Object Recognition Mark van Rossum School of Informatics, University of Edinburgh January 15,

Object Recognition Mark van Rossum School of Informatics, University of Edinburgh January 15,

Object Recognition Mark van Rossum School of Informatics, University of Edinburgh January 15, 2018 0 Based on slides by Chris Williams. Version: January 15, 2018 1 / 27 Overview Neurobiology of Vision Computational Object Recognition:

403 views • 26 slides
CONSCIOUSNESS IN AUTONOMOUS SYSTEMS UDT 2020 HANNAH THOMAS | Data Science Lead EMMA PARKIN |

CONSCIOUSNESS IN AUTONOMOUS SYSTEMS UDT 2020 HANNAH THOMAS | Data Science Lead EMMA PARKIN |

Use of U.S. DoD visual information does not imply or constitute DoD endorsement CONSCIOUSNESS IN AUTONOMOUS SYSTEMS UDT 2020 HANNAH THOMAS | Data Science Lead EMMA PARKIN | Technical Sales Support Engineer Definition of Consciousness the

236 views • 11 slides
1 Using incremental and/or composite sampling vastly improves the representaKveness of soil or

1 Using incremental and/or composite sampling vastly improves the representaKveness of soil or

1 Using incremental and/or composite sampling vastly improves the representaKveness of soil or sediment data. Why can I make that claim? 2 Using incremental and/or composite sampling vastly improves the representaKveness of soil or

470 views • 28 slides
ISO 22955 Acoustic quality of open office spaces Progress and content update The history The

ISO 22955 Acoustic quality of open office spaces Progress and content update The history The

ISO 22955 Acoustic quality of open office spaces Progress and content update The history The history ISO committee convened in December 2017 ISO TC/43 Meetings so far in Paris, London, Birmingham, Madrid and Amsterdam

733 views • 15 slides
Learning from Shadow Security: Why understanding non-compliant behaviors provides the basis

Learning from Shadow Security: Why understanding non-compliant behaviors provides the basis

Learning from Shadow Security: Why understanding non-compliant behaviors provides the basis for effective security USEC 2014, San Diego, USA February 23 rd , 2014 Iacovos Kirlappos Simon Parkin M. Angela Sasse University College London

704 views • 27 slides
The speaker has no conflict of Hamilton, B. &amp; Manias, E. 2008 Meechan et al (2006)

The speaker has no conflict of Hamilton, B. &amp; Manias, E. 2008 Meechan et al (2006)

APNA 30th Annual Conference Session 2033: October 20. 2016 Background Purpose of CSO: Provide safety for all patients and staff while a particular patient is at risk of harming themselves and/or others (Clinical Resource and Audit Group, 2002).

359 views • 6 slides
CSSE 232 Computer Architecture I Other Architectures 1 / 22 Class Status Reading for today

CSSE 232 Computer Architecture I Other Architectures 1 / 22 Class Status Reading for today

CSSE 232 Computer Architecture I Other Architectures 1 / 22 Class Status Reading for today 2.16-17 2 / 22 Outline Load-store Accumulator Memory-to-Memory Stack Advantages/Disadvantages 3 / 22 Load-Store architectures

676 views • 26 slides
Synchronous Distance Learning at the RCM *Tania Lisboa; **Matt Parkin * Research Fellow;

Synchronous Distance Learning at the RCM *Tania Lisboa; **Matt Parkin * Research Fellow;

Synchronous Distance Learning at the RCM *Tania Lisboa; **Matt Parkin * Research Fellow; Videoconferencing Projects Manager ** Senior Recording Engineer Overview RCM &amp; RDAM Synchronous Distance Learning programme Demonstration

338 views • 9 slides
Higher order topological insulators A paradigm for topological states of matter ( M ) =

Higher order topological insulators A paradigm for topological states of matter ( M ) =

Titus Neupert Yukawa Institute, Kyoto, November 03, 2017 Higher order topological insulators A paradigm for topological states of matter ( M ) = (the boundary of a boundary is empty) works when things are su ffi ciently smooth.

1.41k views • 31 slides
A case study of computational science in Jupyter notebooks Micromagnetic VRE - Hans Fangohr

A case study of computational science in Jupyter notebooks Micromagnetic VRE - Hans Fangohr

A case study of computational science in Jupyter notebooks Micromagnetic VRE - Hans Fangohr Brussels, 26 April 2017 Financial support from OpenDreamKit Horizon 2020, European Research Infrastructures project (#676541)

523 views • 28 slides
Deans List Fall 2016 McKell Adams Lindsey Bailey Kelly Bingham AnnaLyn Adams Jason

Deans List Fall 2016 McKell Adams Lindsey Bailey Kelly Bingham AnnaLyn Adams Jason

Deans List Fall 2016 McKell Adams Lindsey Bailey Kelly Bingham AnnaLyn Adams Jason Baldwin Brady Blackley Ilona Adams Carolyn Barclay Dusti Blair Erika Aland Ariane Barker Brysen Bodily Devan Alldredge Jacob Barker Kelli

396 views • 8 slides
Patient Participation Group Leadership Training Day Item Start Finish time time Introductions

Patient Participation Group Leadership Training Day Item Start Finish time time Introductions

Patient Participation Group Leadership Training Day Item Start Finish time time Introductions 10:00 10:30 What does Healthwatch do? 10:30 11:30 What does the Clinical Commissioning Group (CCG) do? What is the patients role? What else

725 views • 39 slides
A constraint driven metagrammar Joseph Le Roux (1) - Beno e (2) - Yannick Parmentier (3) t

A constraint driven metagrammar Joseph Le Roux (1) - Beno e (2) - Yannick Parmentier (3) t

A constraint driven metagrammar Joseph Le Roux (1) - Beno e (2) - Yannick Parmentier (3) t Crabb (1) Calligramme Project LORIA - INPL (2) HCRC / ICCS University of Edinburgh (3) Langue Et Dialogue Project INRIA / LORIA - UHP TAG+8

644 views • 32 slides

More recommend