mini_container.sh

#!/bin/bash

current="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

function cleanup_mount(){
        dir=$1
        # ensure direcotry
        if [ ! -d $dir ];then
                mkdir $dir
        fi

        # umount if not empty
        if [ ! -z "$(ls -A $dir)" ]; then
                umount -dlR $dir
        fi
}

function do_mount(){
        dir=$1
        cleanup_mount $dir
        echo "mount $dir..."
        mount --rbind -o ro /$dir $dir
}

# prepare readonly fs
ro='bin usr lib lib64 etc home root dev app var run'
for dir in $ro;do
        #umount -dlR $dir
        do_mount $dir
        #mount --bind -o ro /$dir $dir
done

# fix tty leak
umount -dlR /dev/pts >/dev/null 2>&1
mount devpts /dev/pts -t devpts

# prepare proc
cleanup_mount proc
mount -t proc none proc

#cleanup_mount sys
mkdir -p sys
if [ -z "$(ls -A sys)" ]; then
        mount --rbind /sys sys
fi

mkdir -p tmp
chmod 777 tmp

jail="hive-jail"
cgcreate -f 777 -d 777 -s 777 -g memory:/$jail
cgset -r memory.swappiness=0 /$jail
cgset -r memory.limit_in_bytes=10m /$jail

# test
#chroot $current bash launcher.sh memory:/$jail

#!/bin/bash

cgroup=$1
echo "using cgroup:$cgroup"
cgexec -g $cgroup hive