Skip to main content

Container Fundamentals Lab

Retrieval Prompts

  1. Name the seven namespace types and what each isolates.
  2. State the difference between namespaces and cgroups in one sentence.
  3. State what the three parts of an OCI image are.
  4. State the difference between Docker Engine, containerd, and runc.
  5. Explain what overlayfs does for a running container.

Compare and Distinguish

Separate these pairs cleanly:

  • VM versus container
  • hostPath volume versus emptyDir volume
  • image tag versus image digest
  • docker exec versus kubectl exec versus crictl exec
  • runc versus containerd

Common Mistake Check

For each statement, identify the error:

  1. "A container is a lightweight VM because it isolates the kernel."
  2. "I squashed my Dockerfile to one layer to make it smaller."
  3. "Secrets in a ConfigMap are fine because they're in etcd."
  4. "latest is the most recent version of this image."
  5. "cgroups stop a compromised container from escaping."

Mini Application

Build a container by hand

On a Linux box (or a kind node via docker exec -it <node> bash):

  1. unshare --fork --pid --mount-proc --uts --ipc --net --mount --user --map-root-user /bin/bash.
  2. Inside the new shell, run ps -ef, hostname, ip a, and id. Note each observation.
  3. Create a cgroup under /sys/fs/cgroup/mygroup, put the shell in it, set memory.max, and observe an allocation being OOMKilled.
  4. Write one paragraph for each namespace: what is different inside versus outside, and why.

Inspect a real image

docker pull alpine:3.19
docker save alpine:3.19 -o alpine.tar
mkdir alpine && tar -xf alpine.tar -C alpine
ls alpine/
cat alpine/manifest.json

Identify:

  • the manifest file
  • the config blob
  • each layer blob
  • which layer introduced /bin/busybox

Identify who runs what on a node

On a Kubernetes node (or a kind node):

crictl ps
crictl inspect <id> | jq .info.config.runtimeType
systemctl status containerd

Label each of kubelet, containerd, runc, and the container process on the diagram from the concept page.

Evidence Check

This page is complete only if you can explain, without looking up, what docker run alpine sh does to the host kernel.