@@ -38,7 +38,7 @@ size: 16:9
3838
3939![ width:1000px] ( imgs/udocker-project-logos.png )
4040
41- # udocker - * be anywhere*
41+ # ` udocker ` - * be anywhere*
4242
4343## Advanced technical details
4444
@@ -54,96 +54,96 @@ Jorge Gomes <jorge@lip.pt>
5454
5555## Programing languages and OS
5656
57- * Implemented
57+ * Implemented in:
5858 * python, C, C++, go
5959
6060* Can run:
61- * CentOS 6, CentOS 7, RHEL 8 or RHEL 9 (compatible distros)
61+ * CentOS 7, RHEL 8 or RHEL 9 (compatible distros)
6262 * Ubuntu >= 16.04
6363 * Any distro that supports python 2.7 and >= 3.6
6464
6565---
6666
6767## Components
6868
69- * Command line interface docker like
70- * Pull of containers from Docker Hub
71- * Local repository of images and containers
72- * Execution of containers with modular engines
69+ * Command line interface similar or the same as docker.
70+ * Pull of containers from DockerHub and other docker registries.
71+ * Local repository of images and containers.
72+ * Execution of containers with modular engines.
7373
7474---
7575
76- ## udocker: Execution engines - I
76+ ## ` udocker ` : Execution engines - I
7777
78- udocker supports several techniques to achieve the equivalent to a chroot without using privileges, to execute containers.
78+ ` udocker ` supports several techniques to achieve the equivalent to a chroot without using privileges, to execute containers.
7979
8080They are selected per container id via execution modes.
8181
8282---
8383
84- ## udocker: Execution engines - II
84+ ## ` udocker ` : Execution engines - II
8585
86- | Mode | Base | Description |
87- | :---: | :---------: | :---------: |
88- | * P1 * | PRoot | PTRACE accelerated (with SECCOMP filtering): * DEFAULT* |
89- | P2 | PRoot | PTRACE non-accelerated (without SECCOMP filtering) |
90- | R1 | runC/Crun | rootless unprivileged using user namespaces |
91- | R2 | runC/Crun | rootless unprivileged using user namespaces + P1 |
92- | R3 | runC/Crun | rootless unprivileged using user namespaces + P2 |
93- | F1 | Fakechroot | with loader as argument and LD_LIBRARY_PATH |
86+ | Mode | Base | Description |
87+ | :---: | :---------: | :---------------------------------------------------------- : |
88+ | P1 | PRoot | PTRACE accelerated (with SECCOMP filtering): * DEFAULT* |
89+ | P2 | PRoot | PTRACE non-accelerated (without SECCOMP filtering) |
90+ | R1 | runC/Crun | rootless unprivileged using user namespaces |
91+ | R2 | runC/Crun | rootless unprivileged using user namespaces + P1 |
92+ | R3 | runC/Crun | rootless unprivileged using user namespaces + P2 |
93+ | F1 | Fakechroot | with loader as argument and LD_LIBRARY_PATH |
9494| F2 | Fakechroot | with modified loader, loader as argument and LD_LIBRARY_PATH |
95- | F3 | Fakechroot | modified loader and ELF headers of binaries + libs changed |
96- | F4 | Fakechroot | modified loader and ELF headers dynamically changed |
97- | S1 | Singularity | where locally installed using chroot or user namespaces |
95+ | F3 | Fakechroot | modified loader and ELF headers of binaries + libs changed |
96+ | F4 | Fakechroot | modified loader and ELF headers dynamically changed |
97+ | S1 | Singularity | where locally installed using chroot or user namespaces |
9898
9999---
100100
101- ## udocker: PRoot engine (P1 and P2)
101+ ## ` udocker ` : PRoot engine (P1 and P2)
102102
103- * PRoot uses PTRACE to intercept system calls
103+ * PRoot uses PTRACE to intercept system calls.
104104
105- * Pathnames are modified before the call
106- * To expand container pathnames into host pathnames
107- * ` /bin/ls ` to ` /home/user/.udocker/containers/CONTAINER-NAME/ROOT/bin/ls `
105+ * Pathnames are modified before the call:
106+ * To expand container pathnames into host pathnames.
107+ * ` /bin/ls ` becomes ` /home/user/.udocker/containers/CONTAINER-NAME/ROOT/bin/ls ` .
108108
109- * If pathnames are returned they are modified after the call
110- * To shrink host pathnames to container pathnames
111- * ` /home/user/.udocker/containers/CONTAINER-NAME/ROOT/bin/ls ` to ` /bin/ls `
109+ * If pathnames are returned they are modified after the call:
110+ * To shrink host pathnames to container pathnames.
111+ * ` /home/user/.udocker/containers/CONTAINER-NAME/ROOT/bin/ls ` becomes ` /bin/ls ` .
112112
113- * P1 and P2 are very generic modes adequate for most applications
114- * They also offer root emulation
115- * As new system calls are added they must be also be added to PRoot
113+ * P1 and P2 are very generic modes adequate for most applications:
114+ * They also offer root emulation.
115+ * As new system calls are added they must be also be added to PRoot:
116116 * Often compatibility also needs to be added for older kernels.
117117
118118---
119119
120- ## udocker: PRoot engine (P1)
120+ ## ` udocker ` : PRoot engine (P1)
121121
122- * The P1 mode uses PTRACE + SECCOMP filtering
123- * P1 is the udocker default mode
124- * System call interception is limited to the set of calls that manipulate pathnames
125- * We fixed PRoot for SECCOMP on recent kernels, most changes incorporated upstream
122+ * The P1 mode uses PTRACE + SECCOMP filtering:
123+ * P1 is the ` udocker ` default mode.
124+ * System call interception is limited to the set of calls that manipulate pathnames.
125+ * We fixed PRoot for SECCOMP on recent kernels, most changes incorporated upstream.
126126
127- * The impact of tracing depends on the system call frequency
128- * In most cases the performance is good
129- * Applications that are heavily threaded or pathname intensive might be impacted
127+ * The impact of tracing depends on the system call frequency:
128+ * In most cases the performance is good.
129+ * Applications that are heavily threaded or pathname intensive might be impacted.
130130
131131---
132132
133- ## udocker: PRoot engine (P2)
133+ ## ` udocker ` : PRoot engine (P2)
134134
135- * The P2 mode uses PTRACE without SECCOMP
136- * Therefore intercepts all system calls even the if they don't make use pathnames
137- * P1 falls back to P2 on old Linux kernels without SECCOMP (e.g. CentOS 6)
135+ * The P2 mode uses PTRACE without SECCOMP:
136+ * Therefore intercepts all system calls even if they don't make use pathnames.
137+ * P1 falls back to P2 on old Linux kernels without SECCOMP (e.g. CentOS 6).
138138
139- * The impact of tracing depends on the system call frequency
140- * Since all system calls are intercepted can be slow
141- * Applications that are heavily threaded or pathname intensive can be very impacted
142- * In such cases using Fn modes is recommended
139+ * The impact of tracing depends on the system call frequency:
140+ * Since all system calls are intercepted it can be slow.
141+ * Applications that are heavily threaded or pathname intensive highly impacted.
142+ * In such cases using Fn modes is recommended.
143143
144144---
145145
146- ## udocker: runC/crun engine (R1) - I
146+ ## ` udocker ` : runC/crun engine (R1) - I
147147
148148* runC and crun are tools to spawn containers according to the Open Containers Initiative (OCI) specification:
149149 * They support unprivileged namespaces using the * user namespace* .
@@ -153,22 +153,22 @@ They are selected per container id via execution modes.
153153
154154---
155155
156- ## udocker: runC/crun engine (R1) - II
156+ ## ` udocker ` : runC/crun engine (R1) - II
157157
158- * To support runC/crun in udocker:
158+ * To support runC/crun in ` udocker ` :
159159 * We added conversion of Docker metadata to the OCI spec format.
160- * udocker can produce an OCI spec and run the containers with runC/crun transparently.
160+ * ` udocker ` can produce an OCI spec and run the containers with runC/crun transparently.
161161 * While runC is written in go, crun is written in C and is generally faster.
162- * Depending on the host system udocker selects crun or runC.
163- * crun provides support for the kernel cgroups version 2 which became required in some distributions.
162+ * Depending on the host system ` udocker ` selects crun or runC.
163+ * crun provides support for the kernel cgroups version 2 which became a requirement in some distributions.
164164
165165---
166166
167- ## udocker: runC/crun engine (R2 and R3)
167+ ## ` udocker ` : runC/crun engine (R2 and R3)
168168
169169* The R2 and R3 execution modes are nested:
170170 * These modes make use of P1 or P2 from inside the R engine.
171- * It is used to overcome some of the * user namespace* limitations.
171+ * It is used to overcome some * user namespace* limitations.
172172 * They are not generally necessary.
173173 * All limitations of the P1 and P2 modes also apply to R2 and R3.
174174
@@ -180,105 +180,108 @@ udocker run -v /tmp myContainerId
180180
181181---
182182
183- ## udocker: Fakechroot engine - I
183+ ## ` udocker ` : Fakechroot engine - I
184184
185- * Fakechroot is a library to provide chroot-like behaviour.
186- * It was conceived to support debootstrap in debian
185+ * Fakechroot is a library that provides chroot-like behaviour:
186+ * It was conceived to support debootstrap in debian.
187187
188- * For udocker
189- * It has been heavily modified to support Linux containers with udocker
190- * Supports both ` glibc ` and ` musl libc ` (ported by the udocker developers)
188+ * Regarding ` udocker ` :
189+ * It has been heavily modified to support Linux containers with ` udocker ` .
190+ * Supports both ` glibc ` and ` musl libc ` (ported by the ` udocker ` developers).
191191
192- * Uses the Linux loader LD_PRELOAD mechanism to;
192+ * Uses the Linux loader LD_PRELOAD mechanism to:
193193 * Intercept calls to the ` libc.so ` functions that manipulate pathnames.
194194 * Translates the pathnames before and after the call similarly to PRoot.
195195 * Does not work with statically compiled executables.
196196
197197---
198198
199- ## udocker: Fakechroot engine - II
199+ ## ` udocker ` : Fakechroot engine - II
200200
201201* In the original fakechroot the executables must match the host loader and libc.
202202 * Shared libraries are loaded from the host not the container.
203203 * Causing symbol mismatches and application crashes.
204204
205- * Why is this ?
205+ * Why is this?
206+
206207 * The path to the loader ` ld.so ` is inside the ELF header of all executables.
207- * is an absolute path pointing to the host
208- * ` readelf --program-headers /bin/ls | grep interpreter `
209- * since loading starts before execution we cannot intercept and translate
210- * Pathnames to library locations and ld.so.cache inside ` ld.so ` are absolute.
211- * loaders are statically linked so we cannot intercept and translate
208+ * It's an absolute path pointing to the host:
209+ * ` readelf --program-headers /bin/ls | grep interpreter ` .
210+ * since loading starts before execution we cannot intercept and translate.
211+
212+ * Pathnames to library locations and ld.so.cache inside ` ld.so ` are absolute:
213+ * loaders are statically linked so we cannot intercept and translate.
214+
212215 * Absolute paths also may exist in the ELF headers of executables and libraries.
213216
214217---
215218
216- ## udocker: Fakechroot engine - III
219+ ## ` udocker ` : Fakechroot engine - III
217220
218221* The shared library loader ` ld.so ` searches for libraries:
219222 * If the pathname has a ` / ` they are directly loaded (* PROBLEM* ).
220223 * If the pathname does not contain ` / ` a search path or location can be obtained from:
221224 1 . DT_RPATH dynamic section attribute of the ELF executable (* PROBLEM* ).
222225 2 . LD_LIBRARY_PATH environment variable (this can be easily set).
223226 3 . DT_RUNPATH dynamic section attribute of the ELF executable (* PROBLEM* ).
224- 4 . cache file /etc/ld.so.cache (* PROBLEM* ).
225- 5 . default paths such as /lib64, /usr/lib64, /lib, /usr/lib (* PROBLEM* ).
227+ 4 . Cache file /etc/ld.so.cache (* PROBLEM* ).
228+ 5 . Default paths such as /lib64, /usr/lib64, /lib, /usr/lib (* PROBLEM* ).
226229
227230---
228231
229- ## udocker: Fakechroot engine (F1) - I
232+ ## ` udocker ` : Fakechroot engine (F1) - I
230233
231234* The path to the loader ` ld.so ` is inside the ELF header of all executables;
232235 * the loader is the executable that loads libraries and calls the actual executable,
233236 * also acts as a library providing functions to dynamically load other libraries.
234237 * the loader is provided and tightly coupled with the libc.
235238
236- * Is essential that executables in the container are run with the loader from the container
237- * as symbols and functions will not match causing crashes
238- * binaries, libc, other libs and ld.so must match
239+ * Is essential that executables in the container are run with the loader from the container;
240+ * as symbols and functions will not match causing crashes,
241+ * binaries, libc, other libs and ld.so must match.
239242
240243---
241244
242- ## udocker: Fakechroot engine (F1) - II
245+ ## ` udocker ` : Fakechroot engine (F1) - II
243246
244247* The mode F1 enforces the use of the loader provided by the container:
245248 * Passes it as 1st argument in * exec* and similar system calls shifting argv.
246- * Like this executables are always started by the loader of the container
247- * ` /pathname/ld-linux-x86-64.so /pathname/bin/ls `
249+ * Thus, executables are always started by the loader of the container.
250+ * ` /pathname/ld-linux-x86-64.so /pathname/bin/ls ` .
248251
249252* Enforcement of library locations:
250253 * Is performed by filling in LD_LIBRARY_PATH with the container paths.
251- * Uses library paths extracted from the container ` ld.so.cache `
252- * ` export LD_LIBRARY_PATH=/home/u/containers/ID/ROOT/lib64: ... `
254+ * Uses library paths extracted from the container ` ld.so.cache ` .
255+ * ` export LD_LIBRARY_PATH=/home/u/containers/ID/ROOT/lib64: ... ` .
253256
254- * If the ELF headers of binaries contain absolute paths then host libraries may endup being loaded.
257+ * If the ELF headers of binaries contain absolute paths then host libraries may end up being loaded.
255258
256259---
257260
258- ## udocker: Fakechroot engine (F2) - I
261+ ## ` udocker ` : Fakechroot engine (F2) - I
259262
260263* The mode F2 modifies the loader binary within the container:
261264 * A copy of the container loader is made.
262- * The loader binary is then edited by udocker.
263- * The loading from host locations ` /lib ` , ` /lib64 ` etc is disabled.
265+ * The loader binary is then edited by ` udocker ` .
266+ * The loading from host locations ` /lib ` , ` /lib64 ` etc. is disabled.
264267 * The loading using the host ` ld.so.cache ` is disabled.
265268 * ` LD_LIBRARY_PATH ` is renamed to ` LD_LIBRARY_REAL ` .
266269
267270---
268271
269- ## udocker: Fakechroot engine (F2) - II
272+ ## ` udocker ` : Fakechroot engine (F2) - II
270273
271274* Upon execution:
272275 * Invocation is performed as in mode F1.
273276 * The ` LD_LIBRARY_REAL ` is filled with library paths from the container and its ` ld.so.cache ` .
274- * Changes made by the user to ` LD_LIBRARY_PATH ` are intercepted
275- * the pathnames are adjusted to container locations and inserted in ` LD_LIBRARY_REAL ` .
276- * like this LD_LIBRARY_PATH remains untouched for the executables
277- * but in practice is the LD_LIBRARY_REAL with the containers paths that is used
277+ * Changes made by the user to ` LD_LIBRARY_PATH ` are intercepted:
278+ * The pathnames are adjusted to container locations and inserted in ` LD_LIBRARY_REAL ` .
279+ * Like this LD_LIBRARY_PATH remains untouched for the executables,
280+ * but in practice it's the LD_LIBRARY_REAL with the containers paths that is used.
278281
279282---
280283
281- ## udocker: Fakechroot engine (F3 and F4) - I
284+ ## ` udocker ` : Fakechroot engine (F3 and F4) - I
282285
283286* The mode F3 modifies binaries both executables and libraries:
284287 * The PatchELF tool was heavily modified to enable easier change of:
@@ -287,25 +290,22 @@ udocker run -v /tmp myContainerId
287290
288291* With F3 or F4 the ELF headers of container executables and libraries are edited with PatchELF:
289292 * The loader location is changed to point to the container.
290- * The libraries location if absolute are changed to point to the container.
293+ * If the libraries location is absolute, then they are changed to point to the container.
291294 * The libraries search paths inside the binaries are changed to point to container locations.
292295
293296---
294297
295- ## udocker: Fakechroot engine (F3 and F4) - II
298+ ## ` udocker ` : Fakechroot engine (F3 and F4) - II
296299
297300* The loader no longer needs to be passed as first argument.
298-
299301* The libraries are always fetched from container locations.
300-
301302* The LD_LIBRARY_REAL continues to be used in F3 and F4.
302-
303303* The mode F4 adds dynamic editing of executables and libraries.
304304 * This is useful if libraries or executables are added to a container or created as result of a compilation.
305305
306306---
307307
308- ## udocker: Fakechroot engine (F3 and F4) - III
308+ ## ` udocker ` : Fakechroot engine (F3 and F4) - III
309309
310310* Containers in modes F3 and F4 cannot be transparently moved across different systems:
311311 * The absolute pathnames to the container locations will likely differ.
0 commit comments