
Linux containers in 500 lines of code - billconan
https://blog.lizzie.io/linux-containers-in-500-loc.html
======
davexunit
Since others are sharing lightweight container implementations, I'll throw
mine in. This one is written in Scheme:
[http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/build/lin...](http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/build/linux-
container.scm#n268)

I like to think that there are sufficient code comments and docstrings to help
demystify what is going on under the hood with containers.

~~~
dawkins
what language is written in? It looks like lisp, but exceptionally readable.

~~~
davexunit
Scheme, Guile in particular:
[https://gnu.org/s/guile](https://gnu.org/s/guile)

------
joosters
The root capabilities section is worrying. Instead of trying to exhaustively
list every capability that needs to be dropped, shouldn't the code instead
just list the capabilities that are allowed, and clear all the others?

This would seem to better guard against accidentally missing existing
capabilities, and also protect against newer capabilities that might be added
in a future kernel.

~~~
vog
I fully agree that whitelisting is safer than blacklisting.

But on the top of the article, the author explicitly recognzied this and
explained why they went down that route:

 _> I wanted specifically to find a minimal set of restrictions to run
untrusted code. This isn't how you should approach containers on anything with
any exposure: you should restrict everything you can. But I think it's
important to know which permissions are categorically unsafe!_

~~~
joosters
Fair point. And the article does make a good read, with explanations about why
each capability in particular should be disallowed.

------
szemet
What a fine piece of literate programming!

I've just printed it out, and it literally contains 100 page of explanation
and context for that 500 lines of code. Great work!

~~~
guardian5x
Just curious, why print it out?

~~~
giancarlostoro
Printed out works are less distracting, you can also write on them with a
pencil or highlight things you like. Also if the page ever disappears /
becomes inaccessible you have a backup of it. Not something I do, but I can
see the uses. A coworker did it to analyze someone else's code. Also it
doesn't drain your eyes as much. I sometimes wish I could have a Kindle that
just showed me code (with some syntax highlighting) so I could look at code on
an e-reader type of display but never drain my eyes doing so.

~~~
Bromskloss
> Also if the page ever disappears / becomes inaccessible you have a backup of
> it.

I get the other parts, but this is the one thing where having it in a computer
format would be _more_ practical. :-) I would rather go the opposite way, i.e.
scan physical book for the purpose of keeping a backup.

------
jabl
Yet another lightweight container runtime: bocker, docker reimplemented in
about 100 lines of bash:
[https://github.com/p8952/bocker](https://github.com/p8952/bocker)

------
kragniz
Nice post! Plug for another container runtime, but in python:
[https://github.com/kragniz/omochabako](https://github.com/kragniz/omochabako)
(although it doesn't do networking or cgroups)

Writing this kind of stuff from scratch is good fun, and really helps
understand the underlying kernel features.

------
mzzter
I like to go to the first few commits of some repositories to see how the
initial proof of concept was implemented. Docker was one that surprised me.
Turns out that the core of it was mounting some folders with union fs and
providing an API to track its location and status [1].

[1]
[https://github.com/moby/moby/blob/a27b4b8cb8e838d03a99b6d2b3...](https://github.com/moby/moby/blob/a27b4b8cb8e838d03a99b6d2b30f76bdaf2f9e5d/filesystem.go#L35)

------
zeveb
Kinda cool how it's all generated from an org-mode file:
[https://blog.lizzie.io/linux-containers-
in-500-loc.org](https://blog.lizzie.io/linux-containers-in-500-loc.org)

Really nice example of the power of literate programming in general and of
org-mode's support for it in particular.

------
Bromskloss
She mentions five Linux kernel mechanisms – "namespaces", "capabilities",
"cgroups", and "setrlimit". Is any of those what I should use if I want to run
an application inside some kind of container that lets me intercept file
system calls (for example for the purpose of creating a file on the fly as it
is accessed)?

~~~
simcop2387
Seccomp with ptrace is the way I'd do this. You can setup the rules to signal
the ptracing process to intercept the syscall. I've not done it before but it
should be possible. Id also look at doing it in a mount namespace with
overlayfs on top of everything the process can see, so that you can manipulate
anything you want or need filewise without destroying the original system.
Then you can copy out any changed files later if you want to preserve them.

~~~
kylequest
You should check out DockerSlim [0] then :-) It'll generate a seccomp profile
for you and it uses ptrace too.

[0] [http://dockersl.im](http://dockersl.im)

------
edwintorok
Is it only me or both firefox and chromium refuse to connect with something
like ERR_SSL_PROTOCOL_ERROR?

------
unhammer
off-topic, but that's a pretty cool e-mail address she's got :-) I wonder how
many clients fail on it.

~~~
djsumdog
Huh. That is interesting. _ makes me think of a placeholder in Scala. It is a
totally valid e-mail address .. makes me want to add it to my own domain and
use it as a junk address.

