man7.

org
Training and Consulting

System Programming for Linux Containers

Course code: M7D-SPLC01

This course provides a deep understanding of the Linux infrastructure used to

build container systems such as Docker and LXC, coupled with an understanding
of the APIs used to build system-level applications that run inside containers. Detailed explanations and carefully designed practical exercises provide participants
with the knowledge needed both to troubleshoot and administer container-based
systems and to write complex applications that run inside Linux containers.

Audience and prerequisites

Course materials

The audience for this course includes designers and developers who are building, troubleshooting, and administering
system-level applications for Linux-based container systems.
To get the most out of the course, participants should
have:

Two course books (written by the trainer) that include all

slides and exercises presented in the course
A copy of the trainers book, The Linux Programming
Interface
A source code tarball containing around 20,000 lines of
example code written by the trainer

Good reading knowledge of the C programming language

Solid programming experience in a language suitable for
completing the course exercises (e.g., C, C++, D, Go,
Rust, or Python)
Knowledge of basic UNIX/Linux shell commands

Course inquiries and bookings

Previous system programming experience is not required.

For inquiries about courses and consulting, you can contact

us in the following ways:
Email: [email protected]
Phone: +49 (89) 2155 2990 (German landline)

Prices, dates, and further details

Course duration and format

Five days, with up to 50% of course time devoted to practical
sessions.

For course prices, upcoming course dates, and further information about the course, please visit the course web page,
http://man7.org/training/sys_prog_lxcon/.

About the trainer

Michael Kerrisk has a unique set of qualifications and experience that ensure that course
participants receive training of a very high
standard:
He has been programming on UNIX systems since 1987 and began teaching UNIX
system programming courses in 1989.
He is the author of The Linux Programming Interface, a 1500-page book widely
acclaimed as the definitive work on Linux
http://man7.org/training/

 +49 (89) 2155 2990

system programming.
He is actively involved in Linux development, working with kernel developers on
testing, review, and design of new Linux
kerneluser-space APIs.
Since 2004, he has been the maintainer of
the Linux man-pages project, which provides the manual pages documenting the
Linux kerneluser-space and GNU C library
APIs.

k [email protected]

Version: 2016-07-05

System Programming for Linux Containers: course contents in detail

Topics marked with an asterisk (*) are optional, and will be covered as time permits

1. Fundamental Concepts
System calls & library functions
Error handling

File descriptors
open(), close(), read(), write()
Seeking to a file offset: lseek()
Atomicity and races
Relationship between file
descriptors and open files
Duplicating file descriptors
Open file status flags
Buffering in stdio and kernel
Controlling buffering

3. File Attributes

Filesystems and i-nodes

stat()
File timestamps
Ownership and permissions
Changing file attributes

4. Processes

Process IDs
Memory layout of a process
Command-line arguments
Environment list
Process groups and sessions (*)
Nonlocal gotos (*)

5. Process Credentials

Password and group file

User and group IDs
Real, effective, saved set IDs
Supplementary group IDs
Retrieving process credentials

6. Signals

Signal types; default actions

Setting signal dispositions
Signal handlers
Signal sets
Blocked and pending signals
Sending signals
Designing signal handlers
Reentrancy; async-signal-safety
Restarting system calls

7. Process Lifecycle
Process creation: fork()
File descriptors and fork()
Process termination

http://man7.org/training/

13. Seccomp

8. Executing Programs

2. File I/O

Monitoring child processes

Orphans and zombies
The SIGCHLD signal
execve()
exec() library functions
File descriptors and exec()
9. Privileged Programs
Set-UID + set-GID programs
Changing process credentials
Some guidelines for writing
privileged programs

14. Cgroups

Overview/purpose of cgroups
Cgroup filesystem
Hierarchies and controllers
Populating a cgroup
Resource controllers (PID,
CPU, memory, etc.)
Cgroups v2 (rationale, design
changes, single unified
hierarchy, delegation)

10. Capabilities
Process and file capabilities
(permitted, effective, and
inheritable)
Viewing and setting file
capabilities from the shell
Text-form capabilities
Transformation of capabilities
by execve()
Capabilities bounding set
Ambient capabilities
Problems with capabilities

15. Introduction to Sockets

Overview
Namespace types
UTS namespaces
Mount namespaces; shared
subtrees
IPC namespaces
Network namespaces
(overview)
PID namespaces
User namespaces (overview)
Namespaces APIs:
/proc/PID/ns/, clone(),
setns(), and unshare()

UNIX domain stream and

datagram sockets
Socket permissions
17. Internet Domain Sockets

 +49 (89) 2155 2990

TCP/IP fundamentals
Internet socket addresses
Data representation issues
getaddrinfo(), getnameinfo()

18. Alternative I/O Models

12. User namespaces in depth

UID and GID mappings
execve() and user ID 0
semantics
User namespaces and
capabilities
Combining user namespaces
with other namespace types
User namespaces and
capabilities revisited

Socket types and domains

Sockets system calls
Stream sockets
Datagram sockets

16. UNIX Domain Sockets

11. Namespaces

Introduction and history

BPF (Berkeley Packet Filter)
Constructing seccomp filters
BPF programs
libseccomp (*)
Applications, tools, and further
information

Nonblocking I/O
Signal-driven I/O
poll() and select()
The epoll API

19. Daemons (*)

Steps in creating a daemon
Reinitializing a daemon
20. Tracing with strace() (*)

k [email protected]

Basics
Filtering strace output
Tracing children
Further strace options

Version: 2016-07-05