{"id":20350505,"url":"https://github.com/alegrey91/gontainer","last_synced_at":"2025-04-12T01:32:53.487Z","repository":{"id":57652170,"uuid":"240726682","full_name":"alegrey91/Gontainer","owner":"alegrey91","description":"🫙 Rudimentary namespace-based container for Linux","archived":false,"fork":false,"pushed_at":"2020-09-11T19:21:49.000Z","size":60,"stargazers_count":74,"open_issues_count":1,"forks_count":8,"subscribers_count":6,"default_branch":"master","last_synced_at":"2024-06-20T10:19:39.204Z","etag":null,"topics":["containers","golang","linux","namespaces","sandboxing"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/alegrey91.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-02-15T14:26:44.000Z","updated_at":"2024-04-20T22:15:24.000Z","dependencies_parsed_at":"2022-08-28T00:02:13.530Z","dependency_job_id":null,"html_url":"https://github.com/alegrey91/Gontainer","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alegrey91%2FGontainer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alegrey91%2FGontainer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alegrey91%2FGontainer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alegrey91%2FGontainer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/alegrey91","download_url":"https://codeload.github.com/alegrey91/Gontainer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224702221,"owners_count":17355516,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["containers","golang","linux","namespaces","sandboxing"],"created_at":"2024-11-14T22:30:55.270Z","updated_at":"2024-11-14T22:32:49.779Z","avatar_url":"https://github.com/alegrey91.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Gontainer\n\n![](./Gontainer.jpg)\n\n**Gontainer** is a container made for fun and curiosity.\n\nThe scope of this project was to better understand Linux namespacing, and apply it to create a rudimental container.\n\n\n\n## Install\n\nIf you have a [Go](https://golang.org/) environment ready to go, it's as easy as:\n\n```bash\ngo get github.com/alegrey91/Gontainer\n```\n\nOnce you retrieved you are ready to build:\n\n```bash\ngo build github.com/alegrey91/Gontainer\n```\n\n\n\n## Usage\n\nTyping `Gontainer -h` the following output will be shown:\n\n```\nUsage: ./Gontainer -run -uid [-mnt=/path/rootfs] [-uts [-hostname=new_hostname]] [-ipc] [-net] [-pid]\n  -mnt='/path/rootfs'           Enable Mount namespace\n  -uts                          Enable UTS namespace\n  -hostname='new_hostname'      Set a custom hostname into the container\n  -ipc                          Enable IPC namespace\n  -net                          Enable Network namespace\n  -pid                          Enable PID namespace\n  -uid                          Enable User namespace\n  -v                            Check Gontainer version\n```\n\nBelow there is a full explanation of provided arguments:\n\n* **mnt**: Mount namespaces control mount points. Upon creation the mounts from the current mount namespace are copied to the new namespace. The clone flag used to create a new namespace of this type is CLONE_NEWNS. [6]\n* **uts**: UTS namespaces allow a single system to appear to have different host and domain names to different processes. The clone flag used to create a new namespace of this type is CLONE_NEWUTS. [6]\n* **ipc**: IPC namespaces isolate processes from SysV style inter-process communication. This prevents processes in different IPC namespaces from using, for  example, the SHM family of functions to establish a range of shared  memory between the two processes. The clone flag used to create a new namespace of this type is CLONE_NEWIPC. [6]\n* **net**: Network namespaces virtualize the network stack. On creation a network namespace contains only a loopback interface. The clone flag used to create a new namespace of this type is CLONE_NEWNET. [6]\n* **pid**: The PID namespace provides processes with an independent set of process IDs (PIDs) from other namespaces. The first process created in a PID namespace is assigned the process id  number 1 and receives most of the same special treatment as the normal  init process. The clone flag used to create a new namespace of this type is CLONE_NEWPID. [6]\n* **uid**: User namespaces are a feature to provide both privilege isolation and  user identification segregation across multiple sets of processes  available since kernel 3.8. With administrative assistance it is possible to build a container with  seeming administrative rights without actually giving elevated  privileges to user processes. The clone flag used to create a new namespace of this type is CLONE_NEWUSER. [6]\n\n\n\n## Examples\n\nIf you are interested in understanding how a containerized process is isolated from the rest of the system, follow the next step.\n\n### User ID isolation\n\nFrom your terminal run:\n\n```Gontainer -run -uid```\n\nThe result will be:\n\n```\n[user@real-hostname ~]$ ./Gontainer -run -uid\n[Gontainer config]\n• mnt:  \"\"\n• uts:  disabled\n• ipc:  disabled\n• net:  disabled\n• uid:  enabled\n\n📦 [root@real-hostname] ~/home/user ‣  \n```\n\nWhat's happened? \n\nWe are trying to running `Gontainer` from the home directory of a non privileged user (`user`).\n\nUsing the flag option `-uid` we are mapping our local UID with the container's `root` UID.\n\nFor this reason, we are `root` inside the container. First magic of Linux namespaces!\n\n### Mount isolation\n\nCommonly called as `chroot` this represents the true essence of the system isolation.\n\nFirst of all, we need a basic root filesystem. If you have docker installed, you can retrieve a rootfs from it:\n\n`docker container inspect alpine | grep UpperDir`\n\nJust `cp -r` the resultant path to `/tmp/rootfs` and then:\n\n`Gontainer -run -uid -mnt /tmp/rootfs`\n\nAs you can see, your OS file system has disappeared, leaving space for a new file system (the alpine fs).\n\n\n\n## References\n\n1. https://medium.com/@teddyking/linux-namespaces-850489d3ccf\n2. https://medium.com/@ssttehrani/containers-from-scratch-with-golang-5276576f9909\n3. http://ifeanyi.co/posts/linux-namespaces-part-1/\n4. https://klotzandrew.com/blog/container-from-scratch\n5. https://www.infoq.com/articles/build-a-container-golang/\n6. https://en.wikipedia.org/wiki/Linux_namespaces\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falegrey91%2Fgontainer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Falegrey91%2Fgontainer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falegrey91%2Fgontainer/lists"}