I've been diving deep into how containers work under the hood and decided to take a step beyond Docker. I aimed to build a container from scratch using tools like chroot, unshare, and overlayfs, similar to how sysadmins might have done before Docker became widespread. Here's what I managed to get working:
- Created an isolated root filesystem using debootstrap.
- Used OverlayFS for an immutable base image with a writable layer.
- Isolated filesystem, network, UTS, and IPC namespaces with unshare.
- Set up a cgroup for limiting memory and CPU.
However, I'm stuck on PID namespace isolation. I've tried several methods, such as using `unshare --pid --fork --mount-proc`, manually mounting procfs inside the chroot, and even some shell scripts to manage timing, but I still see all host processes instead of just 1-2. I'd love to hear from anyone who has tackled this. How did you achieve stable PID isolation without relying on a comprehensive runtime like 'runc'?
1 Answer
When you're building containers with `unshare` and `chroot`, getting the PID namespace right is crucial. You have to ensure there's a proper `/proc` mount inside the namespace, or else the kernel gets confused. It's also a good idea to have a minimal init system to handle zombie processes; otherwise, orphaned processes can bubble up to PID 1. Tools like `setns` or runC exist for a reason—they make dealing with these details less of a headache!
Thanks for the tip! I’ll definitely give that a shot. But I’ve heard some folks suggest using **bubblewrap** for sandboxing instead of `unshare`. What do you think?