container_from_scratch

Tested container from Liz Rice on Ubuntu 20.04 LTS, release 20.04

Follow tutorial from:

https://www.youtube.com/watch?v=8fi7uSYlOdc
fork on github from: https://github.com/lizrice/containers-from-scratch
you can easily edit main.go code on Ubuntu Text Editor

Golang references for palackges and library function parameters:

https://pkg.go.dev/syscall
https://man7.org/linux/man-pages/man2/clone.2.html

Concepts:

kernel space
userspace
processes
system calls
operating system internals and resources
linux

Ran on ubuntu:

Distributor ID: Ubuntu
Description: Ubuntu 20.04 LTS
Release: 20.04
Codename: focal

Install these packages if not already present:

$sudo
$snap install docker
$apt install docker.io
$apt install go
$apt install golang-go

From container: successful run as root:

root@ubuntu:/home/samira/cont# go build # main.go
root@ubuntu:/home/samira/cont# ./cont run /bin/bash
RunningP1 [/bin/bash] as 18431
RunningP2 [/bin/bash] as 1
root@CONTAINER:/#

Test max pids set from host running a fork bomb:

root@CONTAINER:/# :(){ : | : & }; :

[1] 17
root@CONTAINER:/# bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: Resource temporarily unavailable
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: Resource temporarily unavailable
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: Resource temporarily unavailable
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: Resource temporarily unavailable
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bash: fork: Resource temporarily unavailable
bash: fork: Resource temporarily unavailable
^C
[1]+ Done : | :
root@CONTAINER:/#

On host, $ps -fax will show no more than 20 defunct processes :)

samira@ubuntu:/sys/fs/cgroup/pids$ cat /sys/fs/cgroup/pids/samira/pids.max
20
samira@ubuntu:/sys/fs/cgroup/pids$ cat /sys/fs/cgroup/pids/samira/notify_on_release
1
samira@ubuntu:/sys/fs/cgroup/pids$ cat /sys/fs/cgroup/pids/samira/cgroup.procs
18734
18738
samira@ubuntu:/sys/fs/cgroup/pids$
samira@ubuntu:/sys/fs/cgroup/pids/samira$ cat pids.current
samira@ubuntu:/sys/fs/cgroup/pids/samira$ cat tasks
18734
18735
18736
18737
18738
samira@ubuntu:/sys/fs/cgroup/pids/samira$

after we run again the container:

can still see info from container process using sleep:
root@CONTAINER:/# sleep 100

from host:

samira@ubuntu:/sys/fs/cgroup/pids/samira$ ps -C sleep
PID TTY TIME CMD
27758 pts/0 00:00:00 sleep

Next, you can play with docker and kubernestes:
On docker, you can follow this tutorial and exercise running priviledged, setting max pids, etc:
ex: docker container run --pids-limit 20
I recommend:

go through entire tutorial of installing on desktop, then building image, running app, persistance of data across app updates etc.
https://www.docker.com/101-tutorial
https://kubernetes.io/docs/tutorials/kubernetes-basics/

olivamadrigal / container_from_scratch Goto Github PK