Unprivileged containers: mount namespace

The mount namespace isolates the filesystem mount points for a process, so you can have different mounted filesystems.


We are using the same base class as in part 2 of this series. All code is available at bitbucket

import os

from base import ContainerBase
from system import libc

cb = ContainerBase()
cb.namespace_flags = libc.CLONE_NEWUSER | libc.CLONE_NEWNS
cb.run(os.system, 'bash')

Note that the flag for a mount namespaces is CLONE_NEWNS and not CLONE_NEWMOUNT or similar. This is for historical reasons; it was the first namespace.

Running this short script will put you in a shell with both a new user namespace and a new mount namespace.

You can now create a new directory and try various mount commands. It will become apparent that not all commands will work as a regular user. The following sections will discuss what will work and what will not.

Directory and ...

Read More

Unprivileged containers: some code

The previous article was messy from a code point of view, so before going on to the other namespaces lets get something a little more useful. There is nothing new about containers, so you can skip this, but future episodes of this series will be based on this code.

Before we used the unshare call, this detaches the current namespace from its existing namespace and attaches it to a new one. However for the rest of the series we are going to use the clone call. This creates a new process and places it in the new namespace(s) all at once. The parent process is then able to setup the user and group mappings and communicate to the child process when this has been completed. As we found out previously it's necessary to wait until the user/group mappings to be set up before executing a new process ...

Read More

Exploring unprivileged containers

This series of articles will explore creating unprivileged containers on Linux using python and shell commands for ease of experimenting.

A container is something you construct using various system facilities such as Linux namespaces to isolate a process or a group of processes from the rest of the system. This isolation can be partial or almost complete giving the illusion of a separate machine.

A fairly recent distribution will be required to do everything that will be demonstrated here. This series of articles was prepared on a Fedora 24 distribution which has a 4.7 kernel at the time of writing.

The user namespace

A user namespace isolates user and group IDs, the root directory and other security related capabilities. There is a top level user namespace, and new child namespaces can be created. The user IDs and privileges can be different inside and outside the new namespace. In particular ...

Read More
  • 1