🫙 Rudimentary namespace-based container for Linux
Gontainer is a container made for fun and curiosity.
The scope of this project was to better understand Linux namespacing, and apply it to create a rudimental container.
If you have a Go environment ready to go, it's as easy as:
go get github.com/alegrey91/Gontainer
Once you retrieved you are ready to build:
go build github.com/alegrey91/Gontainer
Typing Gontainer -h
the following output will be shown:
Usage: ./Gontainer -run -uid [-mnt=/path/rootfs] [-uts [-hostname=new_hostname]] [-ipc] [-net] [-pid]
-mnt='/path/rootfs' Enable Mount namespace
-uts Enable UTS namespace
-hostname='new_hostname' Set a custom hostname into the container
-ipc Enable IPC namespace
-net Enable Network namespace
-pid Enable PID namespace
-uid Enable User namespace
-v Check Gontainer version
Below there is a full explanation of provided arguments:
If you are interested in understanding how a containerized process is isolated from the rest of the system, follow the next step.
From your terminal run:
Gontainer -run -uid
The result will be:
[user@real-hostname ~]$ ./Gontainer -run -uid
[Gontainer config]
• mnt: ""
• uts: disabled
• ipc: disabled
• net: disabled
• uid: enabled
📦 [root@real-hostname] ~/home/user ‣
What's happened?
We are trying to running Gontainer
from the home directory of a non privileged user (user
).
Using the flag option -uid
we are mapping our local UID with the container's root
UID.
For this reason, we are root
inside the container. First magic of Linux namespaces!
Commonly called as chroot
this represents the true essence of the system isolation.
First of all, we need a basic root filesystem. If you have docker installed, you can retrieve a rootfs from it:
docker container inspect alpine | grep UpperDir
Just cp -r
the resultant path to /tmp/rootfs
and then:
Gontainer -run -uid -mnt /tmp/rootfs
As you can see, your OS file system has disappeared, leaving space for a new file system (the alpine fs).