Isolator
The goal of this library is to run shell commands in isolation using linux namespaces. It may be called from any other program requiring to run some operation inside container.
The goal of this library is not to be compliant with opencontainers spec. It rather provides functionality required in my other projects.
How to use it
Take a look at example/main.go
Features
- library may be used by other software instantly, it doesn't depend on starting another instance of
/proc/self/exelike other libraries do, - root permissions are not required to run a container,
- runs commands inside
PID,NS,USER,IPCandUTSnamespaces.NETnamespace is not used to make an internet available to container instantly, - communication is done in JSON format using stdin and stdout as transport layer,
- logs printed by executed command are transmitted back to the caller,
/procis mounted inside container and populated with in-container processes,/devis populated with basic devices:null,zero,random,urandomby binding them to those existing on host,tmpfsis mounted on/tmp,- DNS inside container is set to
8.8.8.8and8.8.4.4by populating/etc/resolv.conf, - library supports mounting custom locations inside container (mounts may be writable or read-only).