Link: Linux containers in 500 lines of code

October 31, 2016

Lizzie Dixon's Linux Containers in 500 lines of code is exactly what it says in the title, namely an example of setting up a relatively complete Linux container in 500 lines of code or so. The whole thing is interesting, but for me the really useful bits are the code examples and careful discussion of things like dropping capabilities and installing seccomp filters to block system calls.

(I feel I have a broad understanding of how Linux containers work and the general kernel pieces used to set them up, but I haven't really done anything with either capabilities or seccomp.)

Also, it turns out that reading the footnotes here was very useful because it led to me discovering the Ubuntu sysctl kernel.unprivileged_userns_clone, which lets you turn off unprivileged use of user namespaces. I've wanted this for some time so it's great to find out that we can get it on most of our Ubuntu machines.

Written on 31 October 2016.
« Why I'm interested in nftables, the theoretical Linux iptables replacement
DKMS kind of has a problem with its error messages »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Oct 31 13:15:27 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.