GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → alegrey91 → Gontainer

alegrey91 / Gontainer

Licence: GPL-3.0 license
A simple and rudimentary container for Linux

Programming Languages

go
31211 projects - #10 most used programming language

Labels

linuxcontainerssandboxingnamespaces

Projects that are alternatives of or similar to Gontainer

geoconnex.us
URI registry for https://geoconnex.us based URIs
Stars: ✭ 18 (-75%)
Mutual labels:  namespaces
luxe
Luxe is a WordPress starter theme using a modern workflow and best practices.
Stars: ✭ 22 (-69.44%)
Mutual labels:  namespaces
wcpctl
Kubectl system interaction with the vSphere 7 Supervisor cluster
Stars: ✭ 19 (-73.61%)
Mutual labels:  namespaces
sandboxing
Scripts, files and tools related to sandboxing
Stars: ✭ 26 (-63.89%)
Mutual labels:  sandboxing
nsenter
Slim nsenter Docker image - enter into Docker container/host namespaces
Stars: ✭ 111 (+54.17%)
Mutual labels:  namespaces
scuba
Kubernetes Container Runtime Interface daemon for running CloudABI jobs
Stars: ✭ 18 (-75%)
Mutual labels:  sandboxing
unshare
The low-level linux containers creation library for rust
Stars: ✭ 99 (+37.5%)
Mutual labels:  namespaces
dreamy-db
🔥 Dreamy-db - A Powerful database for storing, accessing, and managing multiple database.
Stars: ✭ 25 (-65.28%)
Mutual labels:  namespaces
minijail
sandboxing and containment tool used in ChromeOS and Android
Stars: ✭ 155 (+115.28%)
Mutual labels:  sandboxing
nix-portable
Nix - Static, Permissionless, Installation-free, Pre-configured
Stars: ✭ 356 (+394.44%)
Mutual labels:  namespaces
strauss
Prefix PHP namespaces and classnames to allow multiple versions of libraries to exist without conflict.
Stars: ✭ 84 (+16.67%)
Mutual labels:  namespaces
rlbox sandboxing api
RLBox sandboxing framework
Stars: ✭ 239 (+231.94%)
Mutual labels:  sandboxing
carnet
A Tool for Sandboxing Cargo and Buildscripts
Stars: ✭ 78 (+8.33%)
Mutual labels:  sandboxing
sandboxed-fs
Sandboxed Wrapper for Node.js File System API
Stars: ✭ 41 (-43.06%)
Mutual labels:  sandboxing
Example
Metarhia application example for Node.js
Stars: ✭ 147 (+104.17%)
Mutual labels:  sandboxing
ohana
Ohana is an internal k8s platform that enables devs to create their own virtual namespaces and virtual clusters
Stars: ✭ 74 (+2.78%)
Mutual labels:  namespaces
windowed-observable
Messaging lib using a pub/sub observable scoped by namespaces.
Stars: ✭ 132 (+83.33%)
Mutual labels:  namespaces
rusty-sandbox
A sandboxing library for Rust
Stars: ✭ 59 (-18.06%)
Mutual labels:  sandboxing
subleveldown
Split a levelup database into sublevels with their own keyspace, encoding and events.
Stars: ✭ 117 (+62.5%)
Mutual labels:  namespaces
connect-or-cut
Simple network sandbox for Unix and Windows
Stars: ✭ 19 (-73.61%)
Mutual labels:  sandboxing
View All Similar Projects ➔

Gontainer

Gontainer is a container made for fun and curiosity.

The scope of this project was to better understand Linux namespacing, and apply it to create a rudimental container.

Install

If you have a Go environment ready to go, it's as easy as:

go get github.com/alegrey91/Gontainer

Once you retrieved you are ready to build:

go build github.com/alegrey91/Gontainer

Usage

Typing Gontainer -h the following output will be shown:

Usage: ./Gontainer -run -uid [-mnt=/path/rootfs] [-uts [-hostname=new_hostname]] [-ipc] [-net] [-pid]
  -mnt='/path/rootfs'           Enable Mount namespace
  -uts                          Enable UTS namespace
  -hostname='new_hostname'      Set a custom hostname into the container
  -ipc                          Enable IPC namespace
  -net                          Enable Network namespace
  -pid                          Enable PID namespace
  -uid                          Enable User namespace
  -v                            Check Gontainer version

Below there is a full explanation of provided arguments:

  • mnt: Mount namespaces control mount points. Upon creation the mounts from the current mount namespace are copied to the new namespace. The clone flag used to create a new namespace of this type is CLONE_NEWNS. [6]
  • uts: UTS namespaces allow a single system to appear to have different host and domain names to different processes. The clone flag used to create a new namespace of this type is CLONE_NEWUTS. [6]
  • ipc: IPC namespaces isolate processes from SysV style inter-process communication. This prevents processes in different IPC namespaces from using, for example, the SHM family of functions to establish a range of shared memory between the two processes. The clone flag used to create a new namespace of this type is CLONE_NEWIPC. [6]
  • net: Network namespaces virtualize the network stack. On creation a network namespace contains only a loopback interface. The clone flag used to create a new namespace of this type is CLONE_NEWNET. [6]
  • pid: The PID namespace provides processes with an independent set of process IDs (PIDs) from other namespaces. The first process created in a PID namespace is assigned the process id number 1 and receives most of the same special treatment as the normal init process. The clone flag used to create a new namespace of this type is CLONE_NEWPID. [6]
  • uid: User namespaces are a feature to provide both privilege isolation and user identification segregation across multiple sets of processes available since kernel 3.8. With administrative assistance it is possible to build a container with seeming administrative rights without actually giving elevated privileges to user processes. The clone flag used to create a new namespace of this type is CLONE_NEWUSER. [6]

Examples

If you are interested in understanding how a containerized process is isolated from the rest of the system, follow the next step.

User ID isolation

From your terminal run:

Gontainer -run -uid

The result will be:

[user@real-hostname ~]$ ./Gontainer -run -uid
[Gontainer config]
• mnt:  ""
• uts:  disabled
• ipc:  disabled
• net:  disabled
• uid:  enabled

📦 [root@real-hostname] ~/home/user ‣

What's happened?

We are trying to running Gontainer from the home directory of a non privileged user (user).

Using the flag option -uid we are mapping our local UID with the container's root UID.

For this reason, we are root inside the container. First magic of Linux namespaces!

Mount isolation

Commonly called as chroot this represents the true essence of the system isolation.

First of all, we need a basic root filesystem. If you have docker installed, you can retrieve a rootfs from it:

docker container inspect alpine | grep UpperDir

Just cp -r the resultant path to /tmp/rootfs and then:

Gontainer -run -uid -mnt /tmp/rootfs

As you can see, your OS file system has disappeared, leaving space for a new file system (the alpine fs).

References

  1. https://medium.com/@teddyking/linux-namespaces-850489d3ccf
  2. https://medium.com/@ssttehrani/containers-from-scratch-with-golang-5276576f9909
  3. http://ifeanyi.co/posts/linux-namespaces-part-1/
  4. https://klotzandrew.com/blog/container-from-scratch
  5. https://www.infoq.com/articles/build-a-container-golang/
  6. https://en.wikipedia.org/wiki/Linux_namespaces
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].