I'll almost finish the container runtime today. These are things that are not strictly necessary, but they move my toy container runtime closer to the real one just a little bit. One more namespace to add. Make container a zombie killer. Drop capabilities for extra security.
more...
One of the features of the modern containers is the ability to limit the resources that a container can use. I'll add the simplest and the most limited variant of this to my container runtime - setting CPU and memory limits with cgroups.
more...
Just a bit of work is left for my "container runtime" to feel (and work!) almost like a real container runtime. Today I’ll tackle one of the bigger pieces: setting up networking between the container and the host.
more...
Simple minimal root filesystems work well as a base for my humble container runtime, but it would be nice to have some flexibility while still keeping the root image intact. This is where overlayfs comes to the rescue.
more...
It’s time to get back to the problem I ran into earlier: the ps command inside the container was showing host processes. That clearly means something was missing. Time to employ the next kind of namespace — the mount namespace.
We need more cowbells isolation! At the moment my container runtime creates a new PID namespace, but somehow it still manages not to fully isolate the child process from the host.
And I definitely don’t want the child process to be root on the host machine. Time to fix that.
Time to finally start writing some code. I’ll begin this post by creating a project and end it with a program running inside a new PID namespace.
more...
So… how do you build a thing when you don’t really understand how that thing works? Where do you even begin?
Well, a journey of a thousand miles begins with a single step. I just need to take that step. Fortunately, I have a rough idea of how.
more...
That’s what the title says. Now, if you’re a sane person, you’re probably wondering how I ended up in this situation.
Allow me to explain…
more...