×
![]()
So… how do you build a thing when you don’t really understand how that thing works? Where do you even begin?
Well, a journey of a thousand miles begins with a single step. I just need to take that step. Fortunately, I have a rough idea of how.
Three years ago I would have started by Googling. These days, I start by asking ChatGPT. It gave me some plausible-sounding pointers, so I switched to the man pages—specifically man 2 clone—read about the CLONE_NEW* flags, and then went back to Google. Rinse and repeat.
At the heart of containerization are Linux kernel namespaces. Michael Kerrisk wrote an excellent overview of namespaces more than a decade ago. That series gave me a solid starting point, and after reading it I felt I had a much clearer idea of what I wanted to build.
As before, my overall goal is to learn new things—mostly Rust and how container runtimes work—and whatever else I stumble over along the way. But I needed smaller, more achievable goals.
The first one is to write something similar to the unshare utility: a program that runs other programs in separate namespaces. I’ll start with simpler namespaces, like UTS or PID, and gradually add the more complex ones. At minimum, I want to support the PID, user, UTS, mount, and network namespaces. I expect mount and network to be the trickiest, so I’ll leave those for last.
When I’m done, I should be able to run a process in meaningful isolation—it shouldn’t be able to affect the rest of my system. Even something as destructive as bash -c 'rm -rf /' should be safe.
I can already see a few stretch goals taking shape, but for now I’ll focus on my own version of unshare. I’ll call it silo, since it runs applications siloed off from the rest of the system.
I am going to say this once here, and won't repeat myself: I am just learning Rust, so my code most likely sucks. If you happen to read this blog and find code that sucks, you can let me know in the comments... oh wait, no you can't! There are no comments. I would like to be able to write idiomatic Rust, but for now I am mostly focusing on working programs, so my transgressions will be left unpunished. If you feel too strong about it and just cannot let it slide - shoot me an email. This makes it easier for me to igore it, if I don't feel like engaging in conversation, but also makes it easier to read it at my own pace and fix the code whenever I have time.