{"id":13585480,"url":"https://github.com/saschagrunert/demystifying-containers","last_synced_at":"2025-04-04T13:13:18.651Z","repository":{"id":40724858,"uuid":"169597057","full_name":"saschagrunert/demystifying-containers","owner":"saschagrunert","description":"A series of blog posts and talks about the world of containers 📦","archived":false,"fork":false,"pushed_at":"2023-01-09T09:00:22.000Z","size":8076,"stargazers_count":720,"open_issues_count":0,"forks_count":76,"subscribers_count":39,"default_branch":"master","last_synced_at":"2024-10-11T23:43:21.293Z","etag":null,"topics":["blog","containerization","containers","linux","namespaces","runtimes","talks"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/saschagrunert.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-02-07T15:49:56.000Z","updated_at":"2024-10-08T16:39:39.000Z","dependencies_parsed_at":"2023-02-08T09:31:27.197Z","dependency_job_id":null,"html_url":"https://github.com/saschagrunert/demystifying-containers","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/saschagrunert%2Fdemystifying-containers","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/saschagrunert%2Fdemystifying-containers/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/saschagrunert%2Fdemystifying-containers/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/saschagrunert%2Fdemystifying-containers/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/saschagrunert","download_url":"https://codeload.github.com/saschagrunert/demystifying-containers/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247182401,"owners_count":20897381,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blog","containerization","containers","linux","namespaces","runtimes","talks"],"created_at":"2024-08-01T15:04:58.086Z","updated_at":"2025-04-04T13:13:18.632Z","avatar_url":"https://github.com/saschagrunert.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# Demystifying Containers\n\n![logo](logo-fit.png)\n\nThis series of blog posts and corresponding talks aims to provide you with a\npragmatic view on containers from a historic perspective. Together we will\ndiscover modern cloud architectures layer by layer, which means we will start at\nthe Linux Kernel level and end up at writing our own secure cloud native\napplications.\n\nSimple examples paired with the historic background will guide you from the\nbeginning with a minimal Linux environment up to crafting secure containers,\nwhich fit perfectly into todays’ and futures’ orchestration world. In the end it\nshould be much easier to understand how features within the Linux kernel,\ncontainer tools, runtimes, software defined networks and orchestration software\nlike Kubernetes are designed and how they work under the hood.\n\n## Table of Contents\n\n- [Part I: Kernel Space](#part-i-kernel-space)\n- [Part II: Container Runtimes](#part-ii-container-runtimes)\n- [Part III: Container Images](#part-iii-container-images)\n- [Part IV: Container Security](#part-iv-container-security)\n\n## Part I: Kernel Space\n\nThis first blog post (and talk) is scoped to Linux kernel related topics, which\nwill provide you with the necessary foundation to build up a deep understanding\nabout containers. We will gain an insight about the history of UNIX, Linux and\ntalk about solutions like chroot, namespaces and cgroups combined with hacking\nour own examples. Besides this we will peel some containers to get a feeling\nabout future topics we will talk about.\n\nYou can find the blog post:\n\n- [on GitHub](part1-kernel-space/post.md)\n- [on CNCF](https://www.cncf.io/blog/2019/06/24/demystifying-containers-part-i-kernel-space)\n- [on Medium](https://medium.com/p/2c53d6979504)\n- [on SUSE](https://www.suse.com/c/demystifying-containers-part-i-kernel-space)\n\nThe corresponding talk:\n\n- [on Meetup](https://meetu.ps/e/GrmTm/CJqk6/f)\n- [on YouTube](https://youtu.be/Hb1bsfFyC-Q)\n\nThe slides of the talk:\n\n- [on Slides.com](https://slides.com/saschagrunert/demystifying-containers-part-i-kernel-space)\n\n## Part II: Container Runtimes\n\nThis second blog post (and talk) is primary scoped to container runtimes, where\nwe will start with their historic origins before digging deeper into two\ndedicated projects: runc and CRI-O. We will initially build up a great\nfoundation about how container runtimes work under the hood by starting with the\nlower level runtime runc. Afterwards, we will utilize the more advanced runtime\nCRI-O to run Kubernetes native workloads, but without even running Kubernetes at\nall.\n\nYou can find the blog post:\n\n- [on GitHub](part2-container-runtimes/post.md)\n- [on CNCF](https://www.cncf.io/blog/2019/07/15/demystifying-containers-part-ii-container-runtimes)\n- [on Medium](https://medium.com/p/e363aa378f25)\n- [on SUSE](https://www.suse.com/c/demystifying-containers-part-ii-container-runtimes)\n\nThe corresponding talk:\n\n- [on Meetup](http://meetu.ps/e/GPJ3T/tbX1P/f)\n- [on YouTube](https://youtu.be/UnnAhjJEdH4)\n\nThe slides of the talk:\n\n- [on Slides.com](https://slides.com/saschagrunert/demystifying-containers-part-ii-container-runtimes)\n\n## Part III: Container Images\n\nThis third blog post (and talk) will be all about container images. As usual, we\nstart with the historic background and the evolution of different container\nimage formats. Afterwards, we will check out what is inside of the latest Open\nContainer Initiative (OCI) image specification by crafting, modifying and\npulling apart our self-built container image examples. Besides that, we will learn\nsome important best practices in modern container image creation by utilizing\ntools like buildah, podman and skopeo.\n\nYou can find the blog post:\n\n- [on GitHub](part3-container-images/post.md)\n- [on Medium](https://medium.com/p/244865de6fef)\n- [on SUSE](https://www.suse.com/c/demystifying-containers-part-iii-container-images)\n\nThe corresponding talk:\n\n- [on Meetup](https://www.meetup.com/de-DE/Linux-Meetup-Leipzig/events/263578530)\n- [on YouTube](https://youtu.be/zjUXCKKJb-E)\n\nThe slides of the talk:\n\n- [on Slides.com](https://slides.com/saschagrunert/demystifying-containers-part-iii-container-images)\n\n## Part IV: Container Security\n\nSecurity-related topics can be overwhelming, especially when we’re talking\nabout the fast-pacing container ecosystem. After encountering multiple security\nvulnerabilities in 2019, the press is now questioning if containers are secure\nenough for our applications and if switching from Virtual Machines (VMs) to\ncontainer-based workloads is really a good idea. Technologies like micro VMs\ntarget to add an additional layer of security to sensitive applications.\n\nBut is security really a problem when speaking about running applications\ninside? It indeed is, if we do not fully understand the implications of the\nsecurity-related possibilities we can apply or if we don’t use them at all.\n\nIn this blog post, we will discover the bright world of container security in a\npragmatic way. We will learn about relatively low level security mechanisms\nlike Linux [capabilities][40] or [seccomp][41], but also about fully featured\nsecurity enhancements like [SELinux][42] and [AppArmor][43]. We’ll have the\nchance to build up a common ground of understanding around container security.\nBesides that, we will take a look into securing container workloads at a higher\nlevel inside [Kubernetes][44] clusters by using [Pod Security Policies][45] and\nby securing the container images itself. To achieve all of this, we will verify\nthe results of our experiments by utilizing end-user applications like\nKubernetes and [Podman][46].\n\n[40]: http://man7.org/linux/man-pages/man7/capabilities.7.html\n[41]: https://en.wikipedia.org/wiki/Seccomp\n[42]: https://en.wikipedia.org/wiki/Security-Enhanced_Linux\n[43]: https://en.wikipedia.org/wiki/AppArmor\n[44]: https://kubernetes.io\n[45]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n[46]: https://podman.io\n\nYou can find the blog post:\n\n- [on GitHub](part4-container-security/post.md)\n- [on SUSE](https://www.suse.com/c/demystifying-containers-part-iv-container-security)\n\n---\n\n## Part X\n\nFurther parts of the series are not available yet.\n\n# Contributing\n\nYou want to contribute to this project? Wow, thanks! So please just fork it and\nsend me a pull request.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsaschagrunert%2Fdemystifying-containers","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsaschagrunert%2Fdemystifying-containers","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsaschagrunert%2Fdemystifying-containers/lists"}