
Linux containers in 500 lines of code (2016) - sturza
https://blog.lizzie.io/linux-containers-in-500-loc.html
======
arpa
Docker in ~100 lines of bash:
[https://github.com/p8952/bocker](https://github.com/p8952/bocker)

~~~
VWWHFSfQ
"100 lines of bash" is pretty generous. they might as well have just made it 1
line of bash with the way the code is written

~~~
_zer0
Only the first few lines of the script look dense. Everything else looks
normal to me.

~~~
fwip
Stuff like
[https://github.com/p8952/bocker/blob/master/bocker#L94](https://github.com/p8952/bocker/blob/master/bocker#L94)
is super dense.

I might write that something like:

    
    
        cid="$(
          ps o ppid,pid |
            grep "^$(
              ps o pid,cmd |
                grep -E "^\ *[0-9]+ unshare.*$1" |
                awk '{print $1}'
            )" |
            awk '{print $2}'
        )"

~~~
stingraycharles
I agree with you that their code is fairly dense, yours is overly verbose.

Having said that, looking at their code, I don’t get the impression they’re
optimizing for LOC. There is plenty of verbosity and opportunity to remove
lines of code if they wanted.

~~~
cyansmoker
Can confirm. The bocker code (incl. my modest contributions) was targeted
towards showing that the Linux toolbox was available and scriptable.

------
musicale
Linux containers aren't rocket science, but the system call API is confusing
and hard to get right (I find pid namespaces particularly annoying), the basic
user commands (unshare, ip netns...) are kind of a pain to use, and
orchestration using Docker/Kubernetes is overly complex and opaque. There is
clearly room for improvement at all levels.

------
dang
A thread from 2017:
[https://news.ycombinator.com/item?id=15608435](https://news.ycombinator.com/item?id=15608435)

------
sascha_sl
Liz Rice has done some awesome on-stage live coding, including a very small
container runtime in go.

[https://www.youtube.com/watch?v=8fi7uSYlOdc](https://www.youtube.com/watch?v=8fi7uSYlOdc)

~~~
markandrewj
She has an O'Reilly video course on building container runtime's in go that is
really great as well.

------
kristianp
I'm wondering if MacOS has the requisite system calls to have its own native
containers, I imagine it does, Darwin being based on BSD. Are there any
products that use that functionality?

~~~
ailideex
Not sure how you get from Darwin being based on BSD to Darwin should be able
to support something which heavily relies on Linux specific functionality to
the point where even Freebsd having trouble
[https://wiki.freebsd.org/Docker](https://wiki.freebsd.org/Docker)

Sure with enough changes MacOS could support it, but then with enough changes
to anything, so that is not really a sensible measure.

~~~
TheDong
The question wasn't about running docker on *BSD or macOS, but rather running
some form of native container. Native containers don't rely on linux, they
rely on the kernel having some form of containerization primitive.

FreeBSD has jails, which are a native type of container on freebsd.

However, BSD operating systems are really different from each other. OpenBSD
doesn't have jails or anything too like containers, and macOS does have
sandboxes (which are kinda like a container in some way), but no proper
containers.

Docker isn't really related to the question of whether a native container
solution exists on non-linux platforms.

------
kazinator
> _pivot_root is a system call lets us swap the mount at / with another. Glibc
> doesn't provide a wrapper for it, but includes a prototype in the man page.
> I don't really understand, but OK, we'll include our own._

Probably because pivot_root is a speciality that is used in initramfs
boostrapping and is exposed to that scriptology via the pivot_root program
that comes from the util-linux project.

------
exxo_
Simple unprivileged container runtimes:
[https://github.com/NVIDIA/enroot](https://github.com/NVIDIA/enroot)
[https://github.com/hpc/charliecloud](https://github.com/hpc/charliecloud)

------
projektfu
I like the use of noweb. Very slick.

------
parhamn
I was actually wondering what the lowest-resource way of launching a bunch of
mostly-idle single port applications in isolation currently is. Docker runtime
is bloated, Kubernetes has recommended limits (and enforced on cloud
providers), Runc feels like you have to implement Kubernetes/Docker on top
yourself. Anyone seen anything else out there to run a few thousand single
port binaries and multiplex them with a webserver?

~~~
oszione
Podman with the new crun[1] container runtime is pretty lightweight.
Everything circles back to C.

[1]: [https://github.com/containers/crun](https://github.com/containers/crun)

