Linux containers in (less than) 100 lines of shell - Part II

Using just shell commands, can we create a "decent" container–something like the degree of isolation provided by a Docker container If we work at it, we can come reasonably close.

Furthermore, we can do it using less than 100 lines of shell commands. Along the way we can learn quite a bit about the nature of a container and the Linux kernel mechanisms used to implement containers.

In this presentation, I’ll show how to use a few standard shell commands, plus the ever useful Busybox tool, to create a simple container. That container will have a root filesystem, employ Linux namespaces to provide isolation, and have an associated control group (cgroup) that allows us to limit the resources that the processes in the container can consume. Our container will have a superuser, and we’ll consider what it means to be superuser inside a container while at the same time being unprivileged outside the container.

Michael Kerrisk

Michael Kerrisk is a trainer, author, and programmer who has a passion for investigating and explaining software systems. He is the author of "The Linux Programming Interface", a widely acclaimed book on Linux (and UNIX) system programming. He has been actively involved in the Linux development community since 2000, operating mainly in the area of testing, design review, and documentation of kernel-user-space interfaces. Since 2004, he has maintained the Linux "man-pages" project, which provides the primary documentation for Linux system calls and C library functions. Michael is a New Zealander, living in Munich, Germany, from where he operates a training business (man7.org) providing low-level Linux programming courses in Europe, North America, and occasionally further afield.

NDC { Security }

Linux containers in (less than) 100 lines of shell - Part II

Michael Kerrisk