Skip to content

isomer/contain

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

50 Commits

Makefile

Makefile

 
 

README.md

README.md

 
 

TODO

TODO

 
 

caps.c

caps.c

 
 

cgroup.c

cgroup.c

 
 

cgroup.h

cgroup.h

 
 

chroot.c

chroot.c

 
 

clone.c

clone.c

 
 

contain.1

contain.1

 
 

contain.c

contain.c

 
 

contain.h

contain.h

 
 

example.container

example.container

 
 

full.container

full.container

 
 

idmap.c

idmap.c

 
 

ioprio.c

ioprio.c

 
 

mkcontain

mkcontain

 
 

nice.c

nice.c

 
 

prctl.c

prctl.c

 
 

rlimit.c

rlimit.c

 
 

selinux.c

selinux.c

 
 

simple-init.c

simple-init.c

 
 

working.container

working.container

 
 

Repository files navigation

contain

A wrapper that lets you tweak Linux process options before you start a process. Kinda like a super version of nice(1). In particular this lets you create process namespaces and cgroups which lets you form up fairly usable containers.

Examples

  • contain --ioidle=0 -- ls -R / Run ls in the background with the io priority set to idle. Using ioidle in this way is great for programs that read a lot of data (but not necessarily write a lot of data, see set_ioprio(2) for limitations)

  • sudo contain --newnet -- bash Create a new networking namespace and run bash inside of it.

  • Creating a new namespaces:

  • sudo contain --newpid --newmount --mount /proc=none,proc -- ps aux

If you're going to create a new pid namespace, you probably also want to use "simple-init" (included) to act as the new pid 1, and clean up zombie processes.if this "init" process ever exits then the entire namespace is destroyed. Beware of this if you have a program that likes to daemonise itself as init.

  • Using containers:

  • First setup cgroups on this machine

  • sudo mount -t tmpfs none /sys/fs/cgroup/

  • sudo mkdir /sys/fs/cgroup/devices

  • sudo mount -t cgroup -o devices devices /sys/fs/cgroup/devices

  • Now demonstrate their use

  • sudo contain --name "example-cgroup" \ --limit devices.deny=a \ --limit devices.allow="c 1:3 mr" \ -- cat /dev/null

  • sudo contain --name "example-cgroup" \ --limit devices.deny=a \ --limit devices.allow="c 1:3 mr" \ -- cat /dev/zero This demonstrates a simple container that lets you specify which device nodes processes have access to. This denies access to all devices, but allows access to /dev/null. The two commands above demonstrate /dev/null working, but /dev/zero failing with operation not permitted.

  • Using capabilities

    • sudo contain --cap=+net_bind_service -- su -c id This demonstrates disabling all capabilities except for binding to low ports. Multiple capabilities can be specified, separated by commas. Or you can instead list the capabilities you'd rather remove.

  • Making root a non priviledged user sudo contain --noroot --uid=nobody -- su -c id This demonstrates that nobody can execute su, but the setuid bit doesn't grant it any extra privileges

  • It's probably easier at this point to look at what mkcontain does with various example container files.

About

Specify Linux process attributes

Resources

Readme
Activity

Stars

5 stars

Watchers

5 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages