How Container Filesystem Works: Building a Docker-Like Container from Scratch
4 hours ago
- #container-filesystem
- #linux-namespaces
- #docker-internals
- Containers provide an isolated filesystem view, allowing different Linux distributions inside the container than the host.
- Key Linux tools for container filesystem isolation include `unshare`, `mount`, and `pivot_root`.
- Mount namespaces are fundamental to container isolation, with other namespaces (PID, cgroup, UTS, network) playing supporting roles.
- Mount propagation types (shared, private, slave) control how mount events are propagated between namespaces.
- `pivot_root` is a safer alternative to `chroot` for switching root filesystems in containers.
- Container root filesystems require preparation of pseudo filesystems like `/proc`, `/dev`, and `/sys`.
- Special files (`/etc/hosts`, `/etc/hostname`, `/etc/resolv.conf`) are customized per container.
- Hardening container filesystems involves making sensitive paths read-only or masking them.
- Bind mounts and volumes allow sharing host files and folders with containers.
- Union filesystems like `overlayfs` are optional for containers but used by Docker for efficiency.