Linux namespaces

nvil

New Member
Joined
Jun 7, 2024
Messages
5
Reaction score
2
Credits
55
Hi, I'm quite new using linux namespaces. I've been trying to englobate/merge multiple namespaces in the same instance using this command line:
unshare -p -n -f --mount-proc /bin/bash
It works well, but the moment i exit it, it's lifecycle ends as well. What i want to do is to create my own "container" with those namespaces in particular, and be able to have more control over it.
Is there any way to do it? I know that with systemd-nspawn and machinectl commands I could have more control, but that implicates that i have a well done container. I don´t want to use base images from debian or so, what i'm looking for is to create my own container with those levels of isolation, to be as leightweight as it can be and have control over it (a more stable/longer lifecycle).

I appreciate any kind of help, thanks.
 


I would say you're off to a good start.

You're on the right track with unshare! You can combine unshare with other Linux features like chroot, cgroups, and mount namespaces to create a more persistent and isolated environment. I've done it like this in Azure.

Code:
mkdir /path/to/container

Code:
cp /bin/bash /path/to/container/
cp -r /lib /path/to/container/
cp -r /lib64 /path/to/container/
cp -r /dev /path/to/container/

Code:
unshare --uts --pid --net --mount --ipc --fork /bin/bash

Code:
chroot /path/to/container /bin/bash

Code:
mkdir /sys/fs/cgroup/cpu/container
echo 100000 > /sys/fs/cgroup/cpu/container/cpu.cfs_quota_us
echo 0 > /sys/fs/cgroup/cpu/container/tasks
echo $$ > /sys/fs/cgroup/cpu/container/tasks

Code:
mount --bind /dev /path/to/container/dev
mount --bind /proc /path/to/container/proc
mount --bind /sys /path/to/container/sys

That gives you more control and isolates the containers pretty good.
 
I would say you're off to a good start.

You're on the right track with unshare! You can combine unshare with other Linux features like chroot, cgroups, and mount namespaces to create a more persistent and isolated environment. I've done it like this in Azure.

Code:
mkdir /path/to/container

Code:
cp /bin/bash /path/to/container/
cp -r /lib /path/to/container/
cp -r /lib64 /path/to/container/
cp -r /dev /path/to/container/

Code:
unshare --uts --pid --net --mount --ipc --fork /bin/bash

Code:
chroot /path/to/container /bin/bash

Code:
mkdir /sys/fs/cgroup/cpu/container
echo 100000 > /sys/fs/cgroup/cpu/container/cpu.cfs_quota_us
echo 0 > /sys/fs/cgroup/cpu/container/tasks
echo $$ > /sys/fs/cgroup/cpu/container/tasks

Code:
mount --bind /dev /path/to/container/dev
mount --bind /proc /path/to/container/proc
mount --bind /sys /path/to/container/sys

That gives you more control and isolates the containers pretty good.
Hi, thank you very much for your reply. I tried following your instructions, but I couldn't make it work. Could you please provide a more detailed explanation of the process, if possible? Thank you!
 

Staff online


Latest posts

Top