container basics cgroups namespaces

01.bash_containers.sh

# Prepare a hash. We need it to identify our container.
$ uuid="ps_$(shuf -i 42002-42254 -n 1)"

# Prepare a root dir for all the containers.
$ btrfs_path='/var/bocker' && cgroups='cpu,cpuacct,memory';

# Prepare root filesystem based on the given `$image`.
$ btrfs subvolume snapshot "$btrfs_path/$image" "$btrfs_path/$uuid" > /dev/null

# Create a cgroup
$ cgcreate -g "$cgroups:/$uuid"

# Control cgroup resource
$ cgset -r cpu.shares=512 "$uuid"
$ cgset -r memory.limit_in_bytes=512000000 "$uuid"

# Execute a given `$cmd` in the cgroup.
# We need to create a unique namespace for the command (unshare).
# We also need to change the root directory (chroot).
# We also need to mount the runtime (/proc).
# Logging is a bonus (tee).
$ cgexec -g "$cgroups:$uuid" \
        ip netns exec netns_"$uuid" \
        unshare -fmuip --mount-proc \
        chroot "$btrfs_path/$uuid" \
        /bin/sh -c "/bin/mount -t proc proc /proc && $cmd" \
        2>&1 | tee "$btrfs_path/$uuid/$uuid.log"

02.readme.md

Useful Links

• https://ericchiang.github.io/post/containers-from-scratch/
• https://windsock.io/using-linux-namespaces-to-isolate-processes/
• https://blogs.rdoproject.org/2015/08/hands-on-linux-sandbox-with-namespaces-and-cgroups/
• https://enqueuezero.com/container-and-cgroups.html
• https://github.com/p8952/bocker
• https://github.com/jpetazzo/nsenter
• https://blog.yadutaf.fr/2014/01/19/introduction-to-linux-namespaces-part-5-net/
• https://blogs.rdoproject.org/2015/08/hands-on-linux-sandbox-with-namespaces-and-cgroups/
• http://docker-saigon.github.io/post/Docker-Internals/
• https://linux-audit.com/linux-capabilities-101/
• https://blog.selectel.com/containers-security-seccomp/
• https://github.com/jessfraz/blog/blob/master/content/post/how-to-use-new-docker-seccomp-profiles.md
• https://windsock.io/the-overlay-filesystem/