Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/hupe1980/containers-from-scratch

Writing a container in a few lines of Go code
https://github.com/hupe1980/containers-from-scratch

cgroup container go golang namespace

Last synced: 27 days ago
JSON representation

Writing a container in a few lines of Go code

Host: GitHub
URL: https://github.com/hupe1980/containers-from-scratch
Owner: hupe1980
License: mit
Created: 2021-05-18T08:32:58.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2021-05-20T08:06:12.000Z (over 3 years ago)
Last Synced: 2024-10-19T06:18:05.572Z (3 months ago)
Topics: cgroup, container, go, golang, namespace
Language: Go
Homepage:
Size: 5.86 KB
Stars: 0
Watchers: 3
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# Containers from Scratch in Go
This is a container build from scratch in a few lines of Go code. It uses namespaces and cgroups and mounts a tmpfs that's isolated from host filesystem. The project must be run in a Linux environment (GOOS=linux). You can use vagrant to spin up a virtual linux machine. It is based on the great talk from Liz Rice - [Containers From Scratch](https://www.youtube.com/watch?v=MHv6cWjvQjM&t=1316sc)

## Installation (linux)
- Run `make ubuntufs` to create a ubuntu filesystem (Docker required)
- Run `make run` to start the container

## Installation (non linux)
- Run `make ubuntufs` to create a ubuntu filesystem (Docker required)
- Run `vagrant up`
- Run `vagrant ssh`
- Change to the synced folder with `cd container`
- Run `make run` to start the container

## How it works
- The program forks itself with `CLONE_NEWUTS`, `CLONE_NEWPID`, `CLONE_NEWNS` flags to get isolated hostname, processes and mounts
- The forked process creates a `cgroup` to limit pids to max 20
- It mounts the `./ubuntu_fs` directory as root filesystem using `chroot` to limit access to host machine's filesystem
- It mounts the `/mytemp` directory as tmpfs. Changes to this directory are not visible from the host.
- It mounts the proc directory (after `CLONE_NEWPID` namespace was already set) so that when you run `ps` in the container, only the processes running in it are displayed.
- It executes the supplied argument `/bin/bash` inside the isolated environment (=container)

## Testing
You can run a fork bomb `:(){ :|:& };:` in the container to test the cgroup limitation. WARNING! These examples may crash your computer if executed.