Executes any binary in any namespace-based Linux container. Without platform-dependant kludges.
Tested and working with:
(If you test doin
with other namespace-based container system working,
please post a PR to update this README
file!)
# Build doin.so (does not need root)
make
# Now as "root":
PID=$(docker inspect --format='{{.State.Pid}}' my-minimal-container)
./doin $PID tree /
The latest line above is roughly equivalent to:
LD_PRELOAD=$(pwd)/doin.so __DOIN_ATTACH_PID=${PID} tree /
Infilter uses the
ptrace() system call to be notified when
the program makes it first system calls, and modify CPU registers directly
to inject calls to the setns()
system call. On the other hand, doin
works
independently of the platform, as it does not access hardware features
directly.
The doin.so
shared object is loaded by the dynamic linker before the rest of
shared objects needed by the binary being executed — including the C library.
The C library provides the
__libc_start_main,
which is called by the _start
function of every program (which is where
execution really starts, this code resides in crt1.o
and is linked in every
program) which doin.so
overrides to arrange calls to
setns() before calling the original
__libc_start_main
provided by the C library, which in turn will call the
main()
function in the program.