This is a container build from scratch in a few lines of Go code. It uses namespaces and cgroups and mounts a tmpfs that's isolated from host filesystem. The project must be run in a Linux environment (GOOS=linux). You can use vagrant to spin up a virtual linux machine. It is based on the great talk from Liz Rice - Containers From Scratch
- Run
make ubuntufs
to create a ubuntu filesystem (Docker required) - Run
make run
to start the container
- Run
make ubuntufs
to create a ubuntu filesystem (Docker required) - Run
vagrant up
- Run
vagrant ssh
- Change to the synced folder with
cd container
- Run
make run
to start the container
- The program forks itself with
CLONE_NEWUTS
,CLONE_NEWPID
,CLONE_NEWNS
flags to get isolated hostname, processes and mounts - The forked process creates a
cgroup
to limit pids to max 20 - It mounts the
./ubuntu_fs
directory as root filesystem usingchroot
to limit access to host machine's filesystem - It mounts the
/mytemp
directory as tmpfs. Changes to this directory are not visible from the host. - It mounts the proc directory (after
CLONE_NEWPID
namespace was already set) so that when you runps
in the container, only the processes running in it are displayed. - It executes the supplied argument
/bin/bash
inside the isolated environment (=container)
You can run a fork bomb :(){ :|:& };:
in the container to test the cgroup limitation. WARNING! These examples may crash your computer if executed.