- While learning about Os level virtualization to create a sandbox environment to execute untrusted user code, I came across the concept of containers.
- I had used containers a couple of times, specifically docker containers, before but only understood it from a very general perspective,
It isolates an application and its dependencies into a self-contained unit that can run anywhere.
- In my opinion, containers are really trending/hyped technology that is poorly understood, so I think it would be nice to create one by yourself to understand how it works.
- You'll need to do it from a linux machine.
- First download the ubuntu file system, you can get it from here, ubuntu_fs.zip, unzip it at the root of this project.
# needs root privilege for creating cgroup
sudo su
go run main.go run /bin/bash
- Parent process fork itself with
CLONE_NEWUTS
,CLONE_NEWPID
,CLONE_NEWNS
flags with isolated hostname, processes and mounts - The forked process will create
cgroup
to limit memory usage of itself and any child process it creates - Mount
./ubuntu_fs
directory as root filesystem usingchroot
to limit access to host machine's filesystem - Mount
/mytemp
directory as tmpfs. Any change made to this directory will not be visible from host. - Mount proc (where
CLONE_NEWPID
namespace was already set) so that container can runps
and see only the processes running inside it. - Execute the supplied argument
/bin/bash
inside the isolated environment
How this work is already well explained by the following resources/tutorials
- Containers From Scratch by Liz Rice (video)
- Build your own container from Scratch
- Docker From Scratch with python workshop
- A Beginner-Friendly Introduction to Containers, VMs and Docker
- Namespaces in Go Series
- Understand Container
Containers are not contained
- Containers by default are not a secure environment to execute untrusted code(e.g Saas), an application running in your container can still exploit a vulnerability in the linux kernel.
- For ways to secure your containers you can take a look at gVisor, Kata Containers and Firecracker