System Programming for Linux Containers course outline

1. Course Introduction
2. Fundamental Concepts
   • Error handling
   • System data types
   • Notes on code examples
3. File I/O
   • File I/O overview
   • open(), read(), write(), and close()
4. Processes
   • Process IDs
   • Process memory layout
   • Command-line arguments
   • The environment list
   • The /proc filesystem
5. Signals
   • Overview of signals
   • Signal dispositions
   • Useful signal-related functions
   • Signal handlers
   • Designing signal handlers
6. Process Lifecycle
   • Creating a new process: fork()
   • Process termination
   • Monitoring child processes
   • Orphans and zombies
   • The SIGCHLD signal
   • Executing programs: execve()
7. System Call Tracing with strace (*)
   • Getting started
   • Tracing child processes
   • Filtering strace output
8. Security and Isolation APIs Overview (*)
   • Sandboxing
   • Containers
9. Classical privileged Programs
   • A simple set-user-ID program
   • Saved set-user-ID and saved set-group-ID
   • Changing process credentials
   • A few guidelines for writing privileged programs
10. Capabilities
    • Process and file capabilities
    • Permitted and effective capabilities
    • Setting and viewing file capabilities
    • Capabilities-dumb and capabilities-aware applications
    • Text-form capabilities
11. Capabilities and execve()
    • Capabilities and execve()
    • The capability bounding set
    • Inheritable capabilities
    • Summary of process capability sets (so far)
    • Ambient capabilities
    • An alternative summary of process capability sets
    • Summary remarks
12. Capabilities and UID 0
    • Capabilities and UID transitions
    • Capabilities, UID 0, and execve()
    • Making a capabilities-only environment: securebits (*)
13. Programming with capabilities (*)
    • Programming with capabilities
14. Namespaces
    • An example: UTS namespaces
    • Namespaces commands
    • Namespaces demonstration (UTS namespaces)
    • Namespace types and APIS
    • Namespaces, containers, and virtualization
15. Mount Namespaces and Shared Subtrees
    • Mount namespaces
    • Shared subtrees
    • Bind mounts
16. PID Namespaces
    • PID namespaces
17. Other Namespaces
    • IPC namespaces
    • Time namespaces
    • Cgroup namespaces
    • Network namespaces
18. Namespaces APIs
    • API Overview
    • Creating a child process in new namespaces: clone()
    • /proc/PID/ns
    • Entering a namespace: setns()
    • Creating a namespace: unshare()
    • PID namespaces idiosyncrasies
    • Namespace lifetime (*)
19. User Namespaces
    • Overview of user namespaces
    • Creating and joining a user namespace
    • User namespaces: UID and GID mappings
    • Accessing files (and other objects with UIDs/GIDs)
    • Security issues
    • Combining user namespaces with other namespaces
    • Use cases
20. User namespaces, execve(), and user ID 0
• User namespaces, execve(), and user ID 0
21. User Namespaces and Capabilities
    • User namespaces and capabilities
    • What does it mean to be superuser in a namespace?
    • Discovering namespace relationships
    • File-related capabilities (*)
22. User Namespaces and Privileged Programs (*)
    • User namespace "set-UID-root" programs
    • Namespaced file capabilities
23. Mount Namespaces: Further Details (*)
    • Peer groups
    • Private mounts
    • Slave mounts
    • Unbindable mounts
    • Mounting a container filesystem
24. Seccomp
    • Seccomp filtering and BPF
    • The BPF virtual machine and BPF instructions
    • BPF filter return values
    • Installing a BPF program
    • BPF program examples
    • Checking the architecture
    • Applications and further information
    • Productivity aids (libseccomp and other tools)
25. Seccomp: Further Details (*)
    • Caveats
    • Discovering the system calls made by a program
    • Further details on seccomp filters
    • Extended BPF (eBPF)
    • Other filter return actions
    • Further details on BPF programs
    • Recent seccomp features
    • Audit logging of filter actions
26. Cgroups: Introduction
    • Preamble
    • What are control groups?
    • An example: the pids controller
    • Creating and destroying cgroups
    • Populating a cgroup
    • Enabling and disabling controllers
27. Cgroups: A Survey of the Controllers
    • The cpu, memory, freezer, and pids controllers
    • Other controllers
28. Cgroups: Advanced Features
    • Cgroup namespaces
    • Release notification (cgroup.events file)
    • Delegation
29. Cgroups: Thread Mode (*)
    • Overview of thread mode
    • Creating and using a threaded subtree
30. Cgroups Version 1 (*)
    • Cgroups v1: hierarchies and controllers
    • Cgroups v1: populating a cgroup
    • Cgroups v1: release notification
    • Cgroups v1: delegation
    • Problems with cgroups v1; rationale for v2

(*) Topics marked with an asterisk will be covered subject to time constraints.