Warden container creation process

 

Basic knowledge (transferred from http://www.54chen.com/architecture/cloud-foundry-warden-part1.html in this section)

Rv = unshare (clone_newns );

Unshare: You can set the mounted file system to be visible only in the new mount namespace.

Execvp (argv [0], argv );

Execvp () searches for the file name that matches the parameter file from the directory indicated by the PATH environment variable, finds the file, executes the file, and passes the second parameter argv to the file to be executed.

Shopt-s nullglob

When the shell environment variable nullglob is set to on and nullglob is on, if the wildcard is not matched, It is null (the corresponding wildcard is itself ).

Int Stat (const char * restrict pathname, struct stat * restrict BUF );

Provide the file name to obtain the corresponding attributes of the file.

Build-Essential Software Package

The role is to provide CompilationProgramThe list of required software packages. That is to say, only when the compiled program has this software package can it know where the header file is, where the library function is, and the dependent software package will be downloaded, finally, a development environment is formed.

Tool debootstrap

It can be used to install a basic system in a directory of the system. Besides some configuration items, this basic system is basically the same as the content of the Ubuntu installer in the first phase of installation. This feature has many interesting features. For example, you can use this command to quickly install Ubuntu on the hard disk on a customized Ubuntu live CD without the need for Ubuntu installation programs, you can also use the basic system directory created on the hard disk as a chroot running environment that involves system security services. Use chroot to enter the Directory and debug and run some applications that may modify system configurations, as a customized small system template.

Aufs

A file format that can be mounted to a directory while controlling read-only and read/write operations.

Overlayfs

Another file format, which replaces aufs as the official livecd file format after Ubuntu 11.04. Cgroup Initialization The initialization script is:

Cgroup_path =/sys/fs/cgroupmount-T tmpfs none $ cgroup_pathfor subsystem in CPU cpuacct devices memorydo mkdir-p $ cgroup_path/$ subsystem if! Grep-Q "$ {cgroup_path}/$ subsystem"/proc/mounts then mount-T cgroup-o $ subsystem none $ cgroup_path/$ subsystem fidone

After the preceding command is executed, you can view the Mount result:

# Grep '^ cgroup'/proc/mountscgroups/sys/fs/cgroup tmpfs RW, relatime, mode = 755 0 0 cgroup/sys/fs/cgroup/CPU cgroup RW, relatime, CPU 0 0 cgroup/sys/fs/cgroup/cpuacct cgroup RW, relatime, cpuacct 0 0 cgroup/sys/fs/cgroup/devices cgroup RW, relatime, devices 0 0 cgroup/sys/fs/cgroup/memory cgroup RW, relatime, memory 0 0 cgroup/sys/fs/cgroup/freezer cgroup RW, relatime, freezer 0 0

Network Control

Every container is assigned a network interface which is one side of
Virtual ethernet pair created on the host. The other side of the virtual
Ethernet pair is only visible on the host (from the root namespace ).
The pair is configured to use IPs in a small and static subnet. Traffic
From and to the container can be forwarded using NAT. Additionally, all
Traffic can be filtered and shaped as needed, using readily available
Tools such as 'iptables '.Network initialization

Echo 1>/proc/sys/NET/IPv4/ip_forward # iptables-save | grep-e 'warden | \*'
* Nat
: Warden-instance-16al6hojp15-[0: 0]
: Warden-prerouting-[0: 0]
-A prerouting-I eth0-J Warden-prerouting
-A output-O lo-J Warden-prerouting
-A warden-prerouting-J warden-instance-16al6hojp15
* Mangle
* Filter
: Warden-default-[0: 0]
: Warden-Dispatch-[0: 0]
: Warden-instance-16al6hojp15-[0: 0]
-A input-I w-+-J Warden-Dispatch
-A forward-I w-+-J Warden-Dispatch
-A warden-Dispatch-p tcp-m tcp! -- TCP-flags fin, Syn, RST, Ack syn-J accept
-A warden-Dispatch-I w-16al6hojp15-0-G warden-instance-16al6hojp15
-A warden-Dispatch-J Drop
-A warden-instance-16al6hojp15-G Warden-Default

Stop apparmor: /Etc/init. d/apparmor teardown

# Quotaon (8) Exits with non-zero status when quotas are enabledif quotaon-p $ container_depot_mount_point_path>/dev/nullthen Mount-O remount, usrjquota = aquota. user, kgjquota = aquota. group, j1_mt = vfsv0 $ container_depot_mount_point_path quotacheck-ugmb-F vfsv0 $ container_depot_mount_point_path quotaon $ container_depot_mount_point_pathfi

File System Every container gets a private root filesystem. This filesystem iscreated by stacking a read-only filesytem and a read-write filesystem.
This is implemented by using 'aufs' on Ubuntu versions from 10.04 up
11.10, and 'overlayfs' on Ubuntu 12.04.

The read-only filesystem contains the minimal set of ubuntu packages and
Warden-specific modifications common to all containers. The read-write
Filesystem stores files overriding container-specific settings when
Necessary. Because all writes are applied to the read-write filesystem,
Containers can share the same read-only base filesystem.

The read-write filesystem is created by formatting a large sparse file.
Because the size of this file is fixed, the filesystem that it contains
Cannot grow beyond this initial size.

Create a container Set-O nounset
Set-O errexit
Shopt-s nullglob CP-r skeleton "$ {target }"
Unshare-M "$ {target}"/setup. Sh "$ {target}"/setup. Sh Script 1. Generate a configuration file ID = 16al6hojp15
Network_netmask = 255.255.255.255.252
Network_host_ip = 10.254.0.17
Network_host_iface = w-16al6hojp15-0
Network_container_ip = 10.254.0.18
Network_container_iface = w-16al6hojp15-1
User_uid = 10004 2. Call setup_fs ()

Mkdir-P rootfs $ {target}

Mount-n-t overlayfs-o rw, upperdir = rootfs, lowerdir =$ {1} None $ {target}

3. Call prepare. Sh to delete unnecessary files and create necessary devices.

4. configure system parameters # Cat ETC/hosts
127.0.0.1 16al6hojp15 localhost
10.254.0.17 host
10.254.0.18 container # Cat ETC/hostname
16al6hojp15 # Cat ETC/Network/interfaces
Auto Lo
Iface lo Inet loopback
Auto w-16al6hojp15-1
Iface w-16al6hojp15-1 (Inet static)
Gateway 10.254.0.17
Address 10.254.0.18
Netmask implements 255.255.252 CP/etc/resolv. conf $ {target}/etc/chroot and add the user: useradd-mu-U $ {user_uid}-S/bin/bash vcap # copy override directory is actually a few etc files and a sbin/warden-stop.sh File
CP-r override/* $ {target }/
Chmod 700 $ {target}/sbin/Warden-* 5. Configure SSH 6. Configure mesg # The 'mesg' tool modifies permissions on stdin. Warden regularly passes
# Custom stdin, which makes 'mesg' complain that stdin is not a TTY. Instead
# Removing all occurances of 'mesg', we simply bind it to/bin/true.
Chroot <Eos
Rm/usr/bin/mesg
Ln-S/bin/true/usr/bin/mesg
EOS 7. on the physical machine, add the NIC as the container Gateway: ifconfig $ {network_host_iface }$ {network_host_ip} netmask $ {network_netmask} and add the TC rule to control the bandwidth: qdisc TBF 8002: dev w-16al6hojp15-0 root refcnt 2 rate 8192bit burst 9B lat 24.4 Ms

Qdisc ingress FFFF: Dev w-16al6hojp15-0 parent FFFF: fff1 ----------------

8. Configure cgroup

# Add new group for every subsystem For system_path in/sys/fs/cgroup /* Do Instance_path = $ system_path/instance-$ ID   Mkdir-p $ instance_path   If [$ (basename $ system_path) = "cpuset"] Then Cat $ system_path/cpuset. CPUs> $ instance_path/cpuset. CPUs Cat $ system_path/cpuset. MEMS> $ instance_path/cpuset. MEMS Fi   Echo 1> $ instance_path/cgroup. clone_children Echo $ pid> $ instance_path/tasks Done   Echo $ {ppid}> ppid   IP link Add name $ {network_host_iface} type veth peer name $ {network_container_iface} IP link set $ {network_host_iface} netns 1 IP link set $ {network_container_iface} netns $ {pid}

After the creation, you can log on through the ssh-I access_key root@10.254.0.18, the password is the password set before installation