Link: Linux containers in 500 lines of code
Lizzie Dixon's Linux Containers in 500 lines of code is exactly what it says in the title, namely an example of setting up a relatively complete Linux container in 500 lines of code or so. The whole thing is interesting, but for me the really useful bits are the code examples and careful discussion of things like dropping capabilities and installing seccomp filters to block system calls.
(I feel I have a broad understanding of how Linux containers work and the general kernel pieces used to set them up, but I haven't really done anything with either capabilities or seccomp.)
Also, it turns out that reading the footnotes here was very
useful because it led to me discovering the Ubuntu sysctl
kernel.unprivileged_userns_clone, which lets you turn off
unprivileged use of user namespaces. I've wanted this for
some time so it's great to find
out that we can get it on most of our Ubuntu machines.