In the past few years, I have been doing a lot of container-related work. Previously, I saw a great talk by Julien Friedman, who wrote a container framework in a few lines of Go. This suddenly dawned on me that a container is just a machine within a restricted Linux process.
Building this restricted view involves many calls in the Golang system call package. Initially, I just used the superficial ones, but after a while I wanted to peel back the next layer of the onion and see what these system calls are and how they work. I will share what I learned in my talk at OSCON.
As the name suggests, syscalls are system calls. They are the way you request to enter the Linux kernel from user space. The kernel does some work for you, such as creating a process, and then goes back to user space.
There is a common mechanism that makes all system calls transition to the kernel, which is handled by the libc library. The userspace code sets some registers including the ID of the system call it wants and any arguments it needs to pass to the system call. It triggers a "trap" to transfer control to the kernel.
This is how user space code makes requests to the kernel, and Linux also has a pseudo file system that allows the kernel to pass information to user space, and its contents look like ordinary directories and files.
The/proc directory is a good example. Take a look inside and you'll find all kinds of interesting information about the processes running on the machine. In some cases, like cgroups (control groups), userspace can configure parameters by writing to files under these pseudo-filesystems.
What's especially interesting when you're working with containers is that the host's /proc contains all the information about the containerized process. This includes environment variables, which are also saved in the /proc pseudo-filesystem, which means your host has access to the environment of all running containers. If you pass secrets such as credentials or database passwords into the container through environment variables, there may be security consequences.
Many programmers who write conventional programs may not feel that they use system calls very often. But in fact they are called frequently, because daily activities such as making files or changing directories involve Linux system calls.
You don’t have to be a systems programmer to enjoy system calls!
About the Author:
Liz Rice - Liz Rice is a technical evangelist and container security expert at Aqua Security. Previously, she co-founded Microscaling Systems and developed its real-time scaling engine, as well as the popular image metadata website MicroBadger.com. She has extensive experience in development, team and product management of software ranging from network protocols and distributed systems, as well as digital technology areas such as VOD, music and VoIP.
The above is the detailed content of Tips for beginners to learn Linux system calls. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
