Namespaces
Are cgroups and namespaces the same thing? Explain the difference.
How do Linux kernel primitives like namespaces and cgroups provide isolation and resource control for containers?
How do Linux kernel primitives like network namespaces enable container networking, and what are the conceptual models for inter-container communication such as the Linux bridge model?
How do PID namespaces nest, and what does a process see about PIDs in parent versus child namespaces?
How do user namespaces remap uid/gid, and how do subuid/subgid ranges make 'root in the container' not root on the host?
How do user namespaces work, and what is their role in enabling rootless containers?
How does a container engine manage process IDs within containers, and what is the relationship between container PIDs and host PIDs?
How does nsenter work, and how do the /proc/<pid>/ns/* files let you join an existing namespace?
How does the network namespace by itself provide no connectivity, and what steps are needed to actually give a container network access?
How does the network namespace provide network isolation for containers?
How does the PID namespace work, and what is the significance of PID 1 inside a container's PID namespace?
What are the clone(), unshare(), and setns() syscalls, and how are they used to create and manage namespaces?
What does the IPC namespace isolate, and what kinds of inter-process communication resources does it scope to a container?
What does the UTS namespace isolate, and why does a container need its own hostname and domain name?
What is mount propagation, and can you explain the difference between shared, private, slave, and unbindable mounts in the context of containers?
What is the cgroup namespace, and why was it added on top of cgroups themselves?
What is the purpose of namespaces in Linux containers, and what does each type (PID, network, mount, user) isolate?
What is the role of the mount namespace and how does it provide a container with its own view of the filesystem?
What is the time namespace, and what does it allow a container to virtualize?
When multiple containers run within a single Pod, what Linux kernel namespaces (e.g., network, PID) and filesystem aspects do they typically share?
Runtimes & Standards
Can you describe the overall architecture of containerd and how its components fit together to run containers?
Describe the role of runc in the container runtime model and how it relates to the OCI Runtime Spec.
How do high-level container runtimes like containerd and CRI-O differ from low-level OCI-compliant runtimes like runc and crun?
How does the shim capture a container's exit code and hold its pty, and why must it survive independently of the container manager daemon?
Walk through the high-level steps runc performs to launch a container from an OCI bundle, from setting up namespaces to executing the init process.
What is an 'OCI bundle,' what two main components does it consist of, and what is its role for an OCI runtime like runc?
What is crun and how does it compare to runc?
What is the Kubernetes Container Runtime Interface (CRI) and its role as the boundary between Kubernetes and container runtimes?
What is the OCI Runtime Specification, and what does it define?
What is the purpose of the containerd-shim process, and why is it essential for long-running containers?
What is youki, and how does it compare to runc and crun as an OCI runtime?
What was the dockershim, why was it removed from Kubernetes, and what does that tell us about the CRI boundary?
Fundamentals & History
Can you trace the historical evolution from chroot to LXC to Docker to the OCI and containerd standardization?
How do Windows containers work, and what is the difference between process isolation and Hyper-V isolation?
What are some alternatives to Docker, and how do they differ conceptually (e.g., daemonless containers, containerd's role)?
What are the advantages and trade-offs of using containers versus virtual machines for application deployment?
What is a container fundamentally, and how does it differ from a virtual machine in terms of isolation model, boundaries, and trade-offs?
Where did namespaces come from and why were they introduced in the Linux kernel?
Container Filesystems & Storage
Describe the architecture and working principle of OverlayFS, including lowerdir, upperdir, workdir, and merged layers.
Explain the Copy-on-Write (CoW) mechanism in container filesystems and its benefits.
How are container image layers stacked to form the container's root filesystem, and why are layers read-only, shared, and deduplicated?
How do bind mounts and volumes differ from the ephemeral writable layer at the kernel-mount level?
How does a container get its own isolated root filesystem?
How does the layered filesystem contribute to the immutability of container images?
What are opaque directories in OverlayFS and OCI layers, and how do they differ from whiteout files?
What are snapshotters and storage/graph drivers, and what role do they play in a high-level runtime like containerd?
What are whiteout files, and how do they handle deleted files in OverlayFS and OCI image layers?
What happens to data written to the container's writable layer when the container is removed, and how do volumes and bind mounts address data persistence?
What is the pivot_root syscall and why is it preferred over chroot for container root filesystem isolation?
Why might FUSE be the right choice for an image filesystem, and what tradeoffs does it introduce versus OverlayFS?
Security & Isolation
Explain seccomp-bpf syscall filtering. How does it enhance container security, and what is the concept of a default seccomp profile?
How do Linux Security Modules (LSMs) like AppArmor or SELinux contribute to container isolation?
Is a container a security boundary? Explain your reasoning and the implications for container security.
Walk through the gVisor isolation model. How does it differ from a standard container runtime?
What are Firecracker microVMs, and how do they provide VM-level isolation while behaving like containers?
What are Linux Capabilities, and how are they used to fine-tune the privileges of a process inside a container?
What are sandboxed container runtimes like gVisor or Kata Containers, why do they exist, and what problem do they solve regarding container isolation?
What are some common container escape vectors, and how can they be mitigated?
What is a privileged container, and why does it dramatically weaken container isolation?
What is a read-only root filesystem for a container, and what security benefit does it provide?
What is the default set of Linux capabilities a container keeps versus drops, and what is the reasoning behind that default?
What is the NO_NEW_PRIVS bit, and how does it strengthen container security?
What isolation primitives are non-negotiable when designing a system to safely execute untrusted code at scale?
Why are rootless containers considered more secure than rootful containers, and what are the underlying mechanisms?
Why does exposing the container runtime socket inside a container create a container escape risk?
Why is CAP_SYS_ADMIN considered especially dangerous to grant to a container?
Why is running a process as root inside a container still considered a security risk?
Why is the shared host kernel considered the fundamental security boundary and weakness of standard containers?
Pid 1 & Process Lifecycle
Explain the 'PID 1 problem' in containers. Why does PID 1 have special signal handling semantics in Linux?
How do tools like tini or dumb-init address the PID 1 problem and facilitate graceful container shutdown?
What is the issue of 'zombie processes' in containers, and how does it relate to the PID 1 problem?
Why is SIGTERM propagation and graceful shutdown important for applications running as PID 1 in a container?
Oci Image & Registry Specs
Explain the concept of content-addressable storage and the use of SHA256 digests in container images.
How does a container registry store and serve image blobs according to the OCI distribution spec?
What are the OCI Image Specification and OCI Distribution Specification, and what aspects of container images and registries do they standardize?
What information is contained in an OCI image manifest versus the image config JSON?
What is a manifest list (image index), and how does it enable multi-architecture container images?
What is the difference between a Docker image and a container, and how do image layers contribute to the container's filesystem structure and its copy-on-write semantics?
What is the difference between a layer's diffID and its layer digest in the OCI image format?
What is the relationship between the OCI Runtime Specification and the OCI Image Specification?
Cgroups & Resource Control
Explain the difference between soft and hard limits in cgroups, and what happens when a process exceeds its hard memory limit.
How are CPU and memory limits enforced by cgroups? Describe the mechanisms involved such as cpu.cfs_quota_us and memory.max.
How does the container OOM-killer behave, and how is it related to cgroup memory limits?
How does the io/blkio cgroup controller constrain a container's disk I/O?
What are Linux Control Groups (cgroups), and how are they used to manage and limit resources for containers?
What are the key differences between cgroups v1 and cgroups v2, and what architectural changes did v2 introduce and why?
What does the pids cgroup controller do, and why is limiting the number of processes important for containers?
What is cgroup delegation, and why does it matter for rootless or nested container scenarios?
What is cpuset, and how does it differ from CPU quota-based limits for constraining container CPU usage?
What is the cgroup driver, and what is the difference between the systemd and cgroupfs drivers at a conceptual level?
What is the difference between cpu.shares/weight (relative) and CFS quota/period (absolute), and how does CPU throttling actually manifest?
What is the difference between resource accounting and resource limiting in cgroups?
What is the freezer controller, and how does pausing or freezing a container work through cgroups?
What is the impact of the unified hierarchy in cgroups v2 on resource accounting and management compared to v1?
Container Networking
How is a container's outbound and inbound traffic handled through NAT and port mapping in the default bridge model?
What are the common container network modes (none, host, bridge, container), and when would you use each?
What is the Container Network Interface (CNI), and what problem does it solve in the container ecosystem?
What is the role of veth pairs and the Linux bridge in connecting a container's network namespace to the host network?