Containers From Scratch

While learning about Os level virtualization to create a sandbox environment to execute untrusted user code, I came across the concept of containers.
I had used containers a couple of times, specifically docker containers, before but only understood it from a very general perspective, It isolates an application and its dependencies into a self-contained unit that can run anywhere.
In my opinion, containers are really trending/hyped technology that is poorly understood, so I think it would be nice to create one by yourself to understand how it works.

Running this example

You'll need to do it from a linux machine.
First download the ubuntu file system, you can get it from here, ubuntu_fs.zip, unzip it at the root of this project.

# needs root privilege for creating cgroup
sudo su
go run main.go run /bin/bash

Parent process fork itself with CLONE_NEWUTS, CLONE_NEWPID, CLONE_NEWNS flags with isolated hostname, processes and mounts
The forked process will create cgroup to limit memory usage of itself and any child process it creates
Mount ./ubuntu_fs directory as root filesystem using chroot to limit access to host machine's filesystem
Mount /mytemp directory as tmpfs. Any change made to this directory will not be visible from host.
Mount proc (where CLONE_NEWPID namespace was already set) so that container can run ps and see only the processes running inside it.
Execute the supplied argument /bin/bash inside the isolated environment

How this work is already well explained by the following resources/tutorials

Containers are not contained

Containers by default are not a secure environment to execute untrusted code(e.g Saas), an application running in your container can still exploit a vulnerability in the linux kernel.
For ways to secure your containers you can take a look at gVisor, Kata Containers and Firecracker

Creating containers from scratch to get better understanding of how containers work

Language:Go 100.0%