Quartz 4

Linux Containment Features

4 min read

The Linux kernel includes several mechanisms that enable process isolation and resource control, which collectively form the foundation for container technologies. These containment features allow for efficient OS-level virtualization without the overhead of full system virtualization.

Core Containment Mechanisms

1. chroot

The chroot system call, introduced in 1979 in UNIX Version 7, is the oldest isolation mechanism and a precursor to modern containerization:

  • Changes the apparent root directory for a process and its children
  • Limits a process’s view of the file system
  • Isolates file system access but doesn’t provide complete isolation
  • Used primarily for security and creating isolated build environments
# Example: Changing root directory for a process
sudo chroot /path/to/new/root command

2. Namespaces

Namespaces partition kernel resources so that one set of processes sees one set of resources while another set of processes sees a different set. Linux includes several types of namespaces:

PID Namespace

  • Isolates process IDs
  • Each namespace has its own process numbering, starting at PID 1
  • Processes in a namespace can only see other processes in the same namespace
  • Enables container restart without affecting other containers

Network Namespace

  • Isolates network resources
  • Each namespace has its own:
    • Network interfaces
    • IP addresses
    • Routing tables
    • Firewall rules
    • Port numbers

Mount Namespace

  • Isolates filesystem mount points
  • Each namespace has its own view of the filesystem hierarchy
  • Changes to mounts in one namespace don’t affect others
  • Fundamental for container filesystem isolation

UTS Namespace

  • Isolates hostname and domain name
  • Allows each container to have its own hostname
  • Named after UNIX Time-sharing System

IPC Namespace

  • Isolates Inter-Process Communication resources
  • Isolates System V IPC objects and POSIX message queues
  • Prevents processes in different namespaces from communicating via IPC

User Namespace

  • Isolates user and group IDs
  • A process can have root privileges within its namespace while having non-root privileges outside
  • Enhances container security

Time Namespace

  • Introduced in newer kernel versions
  • Allows containers to have their own system time

3. Control Groups (cgroups)

Control groups, or cgroups, provide mechanisms for:

  • Limiting resource usage (CPU, memory, I/O, network, etc.)
  • Prioritizing resource allocation
  • Measuring resource usage
  • Controlling process lifecycle

Cgroups organize processes hierarchically and distribute system resources along this hierarchy:

Cgroup Subsystems (Controllers)

  • cpu: Limits CPU usage
  • memory: Limits memory usage and reports memory resource usage
  • blkio: Limits block device I/O
  • devices: Controls access to devices
  • net_cls: Tags network packets for traffic control
  • freezer: Suspends and resumes processes
  • pids: Limits process creation

4. Capabilities

Linux capabilities divide the privileges traditionally associated with the root user into distinct units that can be independently enabled or disabled:

  • Allows for fine-grained control over privileged operations
  • Reduces the security risks of running processes as root
  • Examples of capabilities:
    • CAP_NET_ADMIN: Configure networks
    • CAP_SYS_ADMIN: Perform system administration operations
    • CAP_CHOWN: Change file ownership

5. Security Modules

Linux includes several security modules that can enhance container isolation:

SELinux (Security-Enhanced Linux)

  • Provides Mandatory Access Control (MAC)
  • Defines security policies that constrain processes
  • Labels files, processes, and resources, controlling interactions based on these labels

AppArmor

  • Path-based access control
  • Restricts programs’ capabilities using profiles
  • Simpler to configure than SELinux, used by default in Ubuntu

Seccomp (Secure Computing Mode)

  • Filters system calls available to a process
  • Prevents processes from making unauthorized system calls
  • Can be used with a whitelist or blacklist approach to control system call access
# Example: Activating seccomp profile in Docker
docker run --security-opt seccomp=/path/to/profile.json image_name

Implementation in Container Technologies

These Linux kernel features are used by container runtimes in various combinations:

  • LXC: Utilizes all these features directly with a focus on system containers
  • Docker: Builds upon these features with additional tooling and image management
  • Podman: Similar to Docker but with a focus on rootless containers using user namespaces
  • Kubernetes/CRI-O: Uses these features via container runtimes like containerd or CRI-O

Limitations and Considerations

Despite these isolation mechanisms, some limitations remain:

  1. Kernel Sharing: All containers share the host kernel, which means:

    • Kernel vulnerabilities affect all containers
    • Containers cannot run a different OS kernel than the host

  2. Resource Contention: Without proper cgroup configurations, noisy neighbors can still impact performance

  3. Security Concerns: Container escape vulnerabilities can potentially compromise the host

Graph View

Backlinks