Docker and runc
Hello and greetings,
I have been asked a question that when you enter a command like "ls" inside a container, which process is executing this "ls" command? Or is the container executing it, or is it the host on which the container is running?
Well, this question was asked by the Tech Lead of our team, and I researched it until I finally figured out some of it . I wanted to share this information with you.
To understand this question, we need to understand how the process of creating a container works at the lowest level. As you can see in the diagram, in the lowest stage of creating a container, there is a tool called "runc" that is responsible for running containers at the operating system level. This tool is designed based on the OCI (Open Container Initiative) standards, which are defined by an international group of companies and organizations such as Google and Docker.
So, no matter which tool you use (Docker, Podman, etc.), in the end, "runc" is used to manage your containers.
?
The steps to create a container with runc that can only execute the "ls" command are as follows:
?
1. Create a directory named "container-1" anywhere, for example, in $home.
2. According to the standard, we need to place a config.json file with a specific format in the bundle, which is the directory we created in the previous step.
?
"ociVersion": "0.1.0",
"root": {
??? "path": "rootfs",
领英推荐
??? "readonly": true
}
?
3. One of the parameters in the config file is "root," where we need to specify the rootfs path of our bundle. To do this, we create a subdirectory in our bundle and consider it as the rootfs.
- The rootfs is the Linux filesystem root and is recognized with "/".
4. Now, in this directory, we will have a subdirectory named "bin" that contains the "ls" file in an executable format.
5. Another parameter is "process," which specifies which process to execute in our container at runtime.
6. After running the "runc create" command in this directory, a series of Linux namespaces will be created, and note that by default, the container is completely isolated.
7. After creating the container, we need to run the "runc start" command to execute the process in our container.
In general, a container with its cgroup and created namespaces is completely isolated. Also, a container is exactly like any other Linux process, but fully isolated.
Therefore, when we enter the "ls" command inside this container, we are executing this command in an isolated environment with an isolated process.
I hope this explanation helps clarify the process of executing a command inside a container.
Resources :