man7.
org
Training and Consulting
System Programming for Linux Containers
Course code: M7D-SPLC01
This course provides a deep understanding of the Linux infrastructure used to
build container systems such as Docker and LXC, coupled with an understanding
of the APIs used to build system-level applications that run inside containers. Detailed explanations and carefully designed practical exercises provide participants
with the knowledge needed both to troubleshoot and administer container-based
systems and to write complex applications that run inside Linux containers.
Audience and prerequisites
Course materials
The audience for this course includes designers and developers who are building, troubleshooting, and administering
system-level applications for Linux-based container systems.
To get the most out of the course, participants should
have:
Two course books (written by the trainer) that include all
slides and exercises presented in the course
A copy of the trainers book, The Linux Programming
Interface
A source code tarball containing around 20,000 lines of
example code written by the trainer
Good reading knowledge of the C programming language
Solid programming experience in a language suitable for
completing the course exercises (e.g., C, C++, D, Go,
Rust, or Python)
Knowledge of basic UNIX/Linux shell commands
Course inquiries and bookings
Previous system programming experience is not required.
For inquiries about courses and consulting, you can contact
us in the following ways:
Email:
[email protected] Phone: +49 (89) 2155 2990 (German landline)
Prices, dates, and further details
Course duration and format
Five days, with up to 50% of course time devoted to practical
sessions.
For course prices, upcoming course dates, and further information about the course, please visit the course web page,
http://man7.org/training/sys_prog_lxcon/.
About the trainer
Michael Kerrisk has a unique set of qualifications and experience that ensure that course
participants receive training of a very high
standard:
He has been programming on UNIX systems since 1987 and began teaching UNIX
system programming courses in 1989.
He is the author of The Linux Programming Interface, a 1500-page book widely
acclaimed as the definitive work on Linux
http://man7.org/training/
+49 (89) 2155 2990
system programming.
He is actively involved in Linux development, working with kernel developers on
testing, review, and design of new Linux
kerneluser-space APIs.
Since 2004, he has been the maintainer of
the Linux man-pages project, which provides the manual pages documenting the
Linux kerneluser-space and GNU C library
APIs.
k [email protected]
Version: 2016-07-05
System Programming for Linux Containers: course contents in detail
Topics marked with an asterisk (*) are optional, and will be covered as time permits
1. Fundamental Concepts
System calls & library functions
Error handling
File descriptors
open(), close(), read(), write()
Seeking to a file offset: lseek()
Atomicity and races
Relationship between file
descriptors and open files
Duplicating file descriptors
Open file status flags
Buffering in stdio and kernel
Controlling buffering
3. File Attributes
Filesystems and i-nodes
stat()
File timestamps
Ownership and permissions
Changing file attributes
4. Processes
Process IDs
Memory layout of a process
Command-line arguments
Environment list
Process groups and sessions (*)
Nonlocal gotos (*)
5. Process Credentials
Password and group file
User and group IDs
Real, effective, saved set IDs
Supplementary group IDs
Retrieving process credentials
6. Signals
Signal types; default actions
Setting signal dispositions
Signal handlers
Signal sets
Blocked and pending signals
Sending signals
Designing signal handlers
Reentrancy; async-signal-safety
Restarting system calls
7. Process Lifecycle
Process creation: fork()
File descriptors and fork()
Process termination
http://man7.org/training/
13. Seccomp
8. Executing Programs
2. File I/O
Monitoring child processes
Orphans and zombies
The SIGCHLD signal
execve()
exec() library functions
File descriptors and exec()
9. Privileged Programs
Set-UID + set-GID programs
Changing process credentials
Some guidelines for writing
privileged programs
14. Cgroups
Overview/purpose of cgroups
Cgroup filesystem
Hierarchies and controllers
Populating a cgroup
Resource controllers (PID,
CPU, memory, etc.)
Cgroups v2 (rationale, design
changes, single unified
hierarchy, delegation)
10. Capabilities
Process and file capabilities
(permitted, effective, and
inheritable)
Viewing and setting file
capabilities from the shell
Text-form capabilities
Transformation of capabilities
by execve()
Capabilities bounding set
Ambient capabilities
Problems with capabilities
15. Introduction to Sockets
Overview
Namespace types
UTS namespaces
Mount namespaces; shared
subtrees
IPC namespaces
Network namespaces
(overview)
PID namespaces
User namespaces (overview)
Namespaces APIs:
/proc/PID/ns/, clone(),
setns(), and unshare()
UNIX domain stream and
datagram sockets
Socket permissions
17. Internet Domain Sockets
+49 (89) 2155 2990
TCP/IP fundamentals
Internet socket addresses
Data representation issues
getaddrinfo(), getnameinfo()
18. Alternative I/O Models
12. User namespaces in depth
UID and GID mappings
execve() and user ID 0
semantics
User namespaces and
capabilities
Combining user namespaces
with other namespace types
User namespaces and
capabilities revisited
Socket types and domains
Sockets system calls
Stream sockets
Datagram sockets
16. UNIX Domain Sockets
11. Namespaces
Introduction and history
BPF (Berkeley Packet Filter)
Constructing seccomp filters
BPF programs
libseccomp (*)
Applications, tools, and further
information
Nonblocking I/O
Signal-driven I/O
poll() and select()
The epoll API
19. Daemons (*)
Steps in creating a daemon
Reinitializing a daemon
20. Tracing with strace() (*)
k [email protected]
Basics
Filtering strace output
Tracing children
Further strace options
Version: 2016-07-05