Fundamentals & History
What is a container fundamentally, and how does it differ from a virtual machine in terms of isolation model, boundaries, and trade-offs?
What are the advantages and trade-offs of using containers versus virtual machines for application deployment?
What are some alternatives to Docker, and how do they differ conceptually (e.g., daemonless containers, containerd's role)?
Can you trace the historical evolution from chroot to LXC to Docker to the OCI and containerd standardization?
Where did namespaces come from and why were they introduced in the Linux kernel?
How do Windows containers work, and what is the difference between process isolation and Hyper-V isolation?
Oci Image & Registry Specs
What is the difference between a Docker image and a container, and how do image layers contribute to the container's filesystem structure and its copy-on-write semantics?
What are the OCI Image Specification and OCI Distribution Specification, and what aspects of container images and registries do they standardize?
Explain the concept of content-addressable storage and the use of SHA256 digests in container images.
What is the relationship between the OCI Runtime Specification and the OCI Image Specification?
What information is contained in an OCI image manifest versus the image config JSON?
What is a manifest list (image index), and how does it enable multi-architecture container images?
What is the difference between a layer's diffID and its layer digest in the OCI image format?
How does a container registry store and serve image blobs according to the OCI distribution spec?
Namespaces
What is the purpose of namespaces in Linux containers, and what does each type (PID, network, mount, user) isolate?
Are cgroups and namespaces the same thing? Explain the difference.
What does the UTS namespace isolate, and why does a container need its own hostname and domain name?
How do Linux kernel primitives like namespaces and cgroups provide isolation and resource control for containers?
How does the PID namespace work, and what is the significance of PID 1 inside a container's PID namespace?
What is the role of the mount namespace and how does it provide a container with its own view of the filesystem?
How does the network namespace provide network isolation for containers?
When multiple containers run within a single Pod, what Linux kernel namespaces (e.g., network, PID) and filesystem aspects do they typically share?
How do Linux kernel primitives like network namespaces enable container networking, and what are the conceptual models for inter-container communication such as the Linux bridge model?
What does the IPC namespace isolate, and what kinds of inter-process communication resources does it scope to a container?
How does nsenter work, and how do the /proc/<pid>/ns/* files let you join an existing namespace?
How does the network namespace by itself provide no connectivity, and what steps are needed to actually give a container network access?
How do user namespaces work, and what is their role in enabling rootless containers?
What are the clone(), unshare(), and setns() syscalls, and how are they used to create and manage namespaces?
How does a container engine manage process IDs within containers, and what is the relationship between container PIDs and host PIDs?
What is the cgroup namespace, and why was it added on top of cgroups themselves?
What is the time namespace, and what does it allow a container to virtualize?
What is mount propagation, and can you explain the difference between shared, private, slave, and unbindable mounts in the context of containers?
How do PID namespaces nest, and what does a process see about PIDs in parent versus child namespaces?
How do user namespaces remap uid/gid, and how do subuid/subgid ranges make 'root in the container' not root on the host?
Container Filesystems & Storage
How does a container get its own isolated root filesystem?
Describe the architecture and working principle of OverlayFS, including lowerdir, upperdir, workdir, and merged layers.
Explain the Copy-on-Write (CoW) mechanism in container filesystems and its benefits.
How are container image layers stacked to form the container's root filesystem, and why are layers read-only, shared, and deduplicated?
What happens to data written to the container's writable layer when the container is removed, and how do volumes and bind mounts address data persistence?
How does the layered filesystem contribute to the immutability of container images?
How do bind mounts and volumes differ from the ephemeral writable layer at the kernel-mount level?
What is the pivot_root syscall and why is it preferred over chroot for container root filesystem isolation?
Why might FUSE be the right choice for an image filesystem, and what tradeoffs does it introduce versus OverlayFS?
What are whiteout files, and how do they handle deleted files in OverlayFS and OCI image layers?
What are opaque directories in OverlayFS and OCI layers, and how do they differ from whiteout files?
What are snapshotters and storage/graph drivers, and what role do they play in a high-level runtime like containerd?
Cgroups & Resource Control
What are Linux Control Groups (cgroups), and how are they used to manage and limit resources for containers?
How are CPU and memory limits enforced by cgroups? Describe the mechanisms involved such as cpu.cfs_quota_us and memory.max.
How does the container OOM-killer behave, and how is it related to cgroup memory limits?
What is the freezer controller, and how does pausing or freezing a container work through cgroups?
What does the pids cgroup controller do, and why is limiting the number of processes important for containers?
How does the io/blkio cgroup controller constrain a container's disk I/O?
What is cpuset, and how does it differ from CPU quota-based limits for constraining container CPU usage?
What is the difference between resource accounting and resource limiting in cgroups?
What are the key differences between cgroups v1 and cgroups v2, and what architectural changes did v2 introduce and why?
What is the impact of the unified hierarchy in cgroups v2 on resource accounting and management compared to v1?
Explain the difference between soft and hard limits in cgroups, and what happens when a process exceeds its hard memory limit.
What is the cgroup driver, and what is the difference between the systemd and cgroupfs drivers at a conceptual level?
What is the difference between cpu.shares/weight (relative) and CFS quota/period (absolute), and how does CPU throttling actually manifest?
What is cgroup delegation, and why does it matter for rootless or nested container scenarios?
Container Networking
What are the common container network modes (none, host, bridge, container), and when would you use each?
What is the Container Network Interface (CNI), and what problem does it solve in the container ecosystem?
How is a container's outbound and inbound traffic handled through NAT and port mapping in the default bridge model?
What is the role of veth pairs and the Linux bridge in connecting a container's network namespace to the host network?
Security & Isolation
Why is running a process as root inside a container still considered a security risk?
What are Linux Capabilities, and how are they used to fine-tune the privileges of a process inside a container?
What is a read-only root filesystem for a container, and what security benefit does it provide?
What is a privileged container, and why does it dramatically weaken container isolation?
What is the default set of Linux capabilities a container keeps versus drops, and what is the reasoning behind that default?
Explain seccomp-bpf syscall filtering. How does it enhance container security, and what is the concept of a default seccomp profile?
Walk through the gVisor isolation model. How does it differ from a standard container runtime?
What are sandboxed container runtimes like gVisor or Kata Containers, why do they exist, and what problem do they solve regarding container isolation?
Is a container a security boundary? Explain your reasoning and the implications for container security.
Why are rootless containers considered more secure than rootful containers, and what are the underlying mechanisms?
What are some common container escape vectors, and how can they be mitigated?
How do Linux Security Modules (LSMs) like AppArmor or SELinux contribute to container isolation?
What isolation primitives are non-negotiable when designing a system to safely execute untrusted code at scale?
What is the NO_NEW_PRIVS bit, and how does it strengthen container security?
Why is CAP_SYS_ADMIN considered especially dangerous to grant to a container?
Why does exposing the container runtime socket inside a container create a container escape risk?
What are Firecracker microVMs, and how do they provide VM-level isolation while behaving like containers?
Why is the shared host kernel considered the fundamental security boundary and weakness of standard containers?
Runtimes & Standards
What is the OCI Runtime Specification, and what does it define?
What is the Kubernetes Container Runtime Interface (CRI) and its role as the boundary between Kubernetes and container runtimes?
How do high-level container runtimes like containerd and CRI-O differ from low-level OCI-compliant runtimes like runc and crun?
What is an 'OCI bundle,' what two main components does it consist of, and what is its role for an OCI runtime like runc?
Describe the role of runc in the container runtime model and how it relates to the OCI Runtime Spec.
What is crun and how does it compare to runc?
What is youki, and how does it compare to runc and crun as an OCI runtime?
Walk through the high-level steps runc performs to launch a container from an OCI bundle, from setting up namespaces to executing the init process.
What is the purpose of the containerd-shim process, and why is it essential for long-running containers?
Can you describe the overall architecture of containerd and how its components fit together to run containers?
How does the shim capture a container's exit code and hold its pty, and why must it survive independently of the container manager daemon?
What was the dockershim, why was it removed from Kubernetes, and what does that tell us about the CRI boundary?
Pid 1 & Process Lifecycle
What is the issue of 'zombie processes' in containers, and how does it relate to the PID 1 problem?
How do tools like tini or dumb-init address the PID 1 problem and facilitate graceful container shutdown?
Why is SIGTERM propagation and graceful shutdown important for applications running as PID 1 in a container?
Explain the 'PID 1 problem' in containers. Why does PID 1 have special signal handling semantics in Linux?