Posted Thu 01 December 2016 in containers
The mount namespace isolates the filesystem mount points for
a process, so you can have different mounted filesystems.
Code
We are using the same
base class as in part 2 of this series.
All code is available
at bitbucket
import os
from base import ContainerBase
from system import libc
cb = ContainerBase()
cb.namespace_flags = libc.CLONE_NEWUSER | libc.CLONE_NEWNS
cb.run(os.system, 'bash')
cb.wait()
Note that the flag for a mount namespaces is CLONE_NEWNS
and not CLONE_NEWMOUNT or similar. This is for historical
reasons; it was the first namespace.
Running this short script
will put you in a shell with both a new user namespace and
a new mount namespace.
You can now create a new directory and try various mount commands.
It will become apparent that not all commands will work as a
regular user.
The following sections will discuss what will work and what will not.
Directory and …
Read More
Posted Sat 08 October 2016 in containers
The previous article was messy from a code point of view,
so before going on to the other namespaces lets get something
a little more useful.
There is nothing new about containers, so you can skip this, but
future episodes of this series will be based on this code.
Before we used the unshare call, this detaches the current
namespace from its existing namespace and attaches it to a new one.
However for the rest of the series we are going to use the clone call.
This creates a new process and places it in the new namespace(s) all
at once.
The parent process is then able to setup the user and group mappings
and communicate to the child process when this has been completed. As
we found out previously it's necessary to wait until the user/group
mappings to be set up before executing a new process in …
Read More
Posted Mon 19 September 2016 in containers
This series of articles will explore creating unprivileged containers on
Linux using python and shell commands for ease of experimenting.
A container is something you construct using various system facilities
such as Linux namespaces to isolate a process or a group of processes
from the rest of the system.
This isolation can be partial or almost complete giving the
illusion of a separate machine.
A fairly recent distribution will be required to do everything
that will be demonstrated here.
This series of articles was prepared on a Fedora 24 distribution which
has a 4.7 kernel at the time of writing.
The user namespace
A user namespace isolates user and group IDs, the root directory
and other security related capabilities.
There is a top level user namespace, and new
child namespaces can be created.
The user IDs and privileges
can be different inside and outside the new namespace.
In particular …
Read More