How I Built a Container Runtime from Scratch using Linux Primitives

LXR is a Linux Container Runtime and browser-accessible development environment that I built from scratch using Linux namespaces, cgroups, networking, PTY execution and isolated root filesystems.

In this talk, I’ll be explaining how LXR works internally and the problems I faced while building it from scratch. I’ll talk about

1. Container isolation using namespaces & cgroups
2. Filesystem isolation with pivot_root and OverlayFS
3. Bridge networking using veth pairs
4. PTY based terminal execution
5. Container lifecycle management
6. Browser-accessible development environments using code-server
7. Custom O(1) IP allocator I built for container networking.

I’ll also share the painful parts of building LXR with namespace restrictions that completely confused me at first, networking bugs that took hours to debug, PTY issues, filesystem problems, containers randomly breaking at 2am, and the amount of trial and error it took before containers finally started behaving properly.

This talk is mostly about understanding what actually happens internally when a container gets created instead of treating containers like black-box tooling.

1. Understand how Linux namespaces and cgroups are used to create isolated container environments.
2. Designing an O(1) reusable IP allocator
3. How container runtimes internally manage processes, networking and filesystems.
4. Understand how OverlayFS, PTY execution, and Unix sockets are used in container systems.
5. Explore the architecture of a container runtime built directly on Linux kernel primitives.
6. Gain practical insight into the lower-level systems concepts behind modern container platforms.