itTypos in hand-crafted containers, thanks jwilk - monochromatic - monochromatic blog: http://blog.z3bra.org Err z3bra.org 70 hgit clone git://z3bra.org/monochromatic URL:git://z3bra.org/monochromatic z3bra.org 70 1Log /scm/monochromatic/log.gph z3bra.org 70 1Files /scm/monochromatic/files.gph z3bra.org 70 1Refs /scm/monochromatic/refs.gph z3bra.org 70 i--- Err z3bra.org 70 1commit 2f632792c1cb87d291f8e94203b3e57f74e17034 /scm/monochromatic/commit/2f632792c1cb87d291f8e94203b3e57f74e17034.gph z3bra.org 70 1parent 6fb1ca3b95398796f2874bea8451dfd191dd71f1 /scm/monochromatic/commit/6fb1ca3b95398796f2874bea8451dfd191dd71f1.gph z3bra.org 70 hAuthor: z3bra URL:mailto:willyatmailoodotorg z3bra.org 70 iDate: Thu, 31 Mar 2016 06:26:10 +0000 Err z3bra.org 70 i Err z3bra.org 70 iTypos in hand-crafted containers, thanks jwilk Err z3bra.org 70 i Err z3bra.org 70 iDiffstat: Err z3bra.org 70 i M 2016/03/hand-crafted-containers.txt | 10 +++++----- Err z3bra.org 70 i Err z3bra.org 70 i1 file changed, 5 insertions(+), 5 deletions(-) Err z3bra.org 70 i--- Err z3bra.org 70 1diff --git a/2016/03/hand-crafted-containers.txt b/2016/03/hand-crafted-containers.txt /scm/monochromatic/file/2016/03/hand-crafted-containers.txt.gph z3bra.org 70 it@@ -20,7 +20,7 @@ host operating system. This isolation can happen in different places Err z3bra.org 70 i (namespaces), be it in the network, the filesystem, the process tree, or all of Err z3bra.org 70 i them (there are more, in fact. More on this later). Err z3bra.org 70 i Err z3bra.org 70 i-We can differenciate three types of containers: Err z3bra.org 70 i+We can differentiate three types of containers: Err z3bra.org 70 i Err z3bra.org 70 i + operating system containers Err z3bra.org 70 i + application containers Err z3bra.org 70 it@@ -123,7 +123,7 @@ part here is the following: Err z3bra.org 70 i > dynamically linked, interpreter /lib/ld-linux-x86-64.so.2 Err z3bra.org 70 i Err z3bra.org 70 i Dynamically linked binaries cannot be run on their own. Long story short, Err z3bra.org 70 i-`/lib/ld-linux-x86-64.so.2` is a program that is implicitely called to run all Err z3bra.org 70 i+`/lib/ld-linux-x86-64.so.2` is a program that is implicitly called to run all Err z3bra.org 70 i the dynamic binaries on a linux system, it's called the Err z3bra.org 70 i [linker](https://en.wikipedia.org/wiki/Dynamic_linker). So in order to have a Err z3bra.org 70 i binary run in the chroot, you need to copy over the linker AND all the libraries Err z3bra.org 70 it@@ -160,7 +160,7 @@ for a linker and libc in the chroot: Err z3bra.org 70 i Err z3bra.org 70 i Let's take a look at the size of this "container". For scale, the Err z3bra.org 70 i "[Smallest possible docker container](https://docs.docker.com/articles/baseimages/#creating-a-simple-base-image-using-scratch)" Err z3bra.org 70 i-weights 3.6Mib... Err z3bra.org 70 i+weighs 3.6Mib... Err z3bra.org 70 i Err z3bra.org 70 i $ du -sh rootfs Err z3bra.org 70 i 720K rootfs Err z3bra.org 70 it@@ -192,7 +192,7 @@ This tool is the one that will actually isolate containers. It has been created Err z3bra.org 70 i especially for this purpose, and will let you run a process unshared from Err z3bra.org 70 i different namespaces: mount, user, network, PID, IPC and UTS. Err z3bra.org 70 i In the same order, each flag will separate your `command` from the given Err z3bra.org 70 i-namespace. See `unshare(1)` for more informations: Err z3bra.org 70 i+namespace. See `unshare(1)` for more information: Err z3bra.org 70 i Err z3bra.org 70 i unshare -m -U -n -p -i -u Err z3bra.org 70 i Err z3bra.org 70 it@@ -227,7 +227,7 @@ You need to be familiar with the concept of Err z3bra.org 70 i (veth) pairs here. Err z3bra.org 70 i Virtual ethernet devices pairs acts like both ends of a tube: when a packet is Err z3bra.org 70 i written on one end, it is also written on the other. This simple concept will Err z3bra.org 70 i-help us get an internet acces *inside* the container, while using the network Err z3bra.org 70 i+help us get an internet access *inside* the container, while using the network Err z3bra.org 70 i stack of the host. Err z3bra.org 70 i Err z3bra.org 70 i The process is easy: we will create a `veth` pair, move one end inside the Err z3bra.org 70 .