https://linzeyan.github.io/zh-tw/categories/container/Recent content in Container on RickyHugo -- gohugo.iozh-twWed, 10 Sep 2025 09:50:00 +0800https://linzeyan.github.io/zh-tw/posts/2025/20250910-containers-from-scratch-by-golang-feat-liz-rice/Wed, 10 Sep 2025 09:50:00 +0800https://linzeyan.github.io/zh-tw/posts/2025/20250910-containers-from-scratch-by-golang-feat-liz-rice/<ul> <li><a href="https://baconyao.notion.site/Containers-From-Scratch-by-Golang-feat-Liz-Rice-2638a3a7d9d48053ae1dce0763fb52e8" target="_blank" rel="noopener">用 Golang 從零打造容器（Liz Rice）</a></li> <li><a href="https://github.com/baconYao/container-from-scratch-golang" target="_blank" rel="noopener">container-from-scratch-golang</a></li> </ul> <p>隨著我們擴充這個小程式的功能，會依序探索以下主題，讓我們建立一個非正式環境的容器模擬。</p> <ol> <li>UTS Namespace</li> <li>Chroot</li> <li>PID Namespace</li> <li>Mount Namespace</li> <li>Control Group</li> <li>Rootless Container</li> </ol>https://linzeyan.github.io/zh-tw/posts/2023/20231004-container/Wed, 04 Oct 2023 09:06:00 +0800https://linzeyan.github.io/zh-tw/posts/2023/20231004-container/<ul> <li><a href="https://securitylabs.datadoghq.com/articles/container-security-fundamentals-part-1/" target="_blank" rel="noopener">Container security fundamentals: Exploring containers as processes</a></li> <li><a href="https://securitylabs.datadoghq.com/articles/container-security-fundamentals-part-2/" target="_blank" rel="noopener">Container security fundamentals part 2: Isolation &amp; namespaces</a></li> <li><a href="https://securitylabs.datadoghq.com/articles/container-security-fundamentals-part-3/" target="_blank" rel="noopener">Container security fundamentals part 3: Capabilities</a></li> <li><a href="https://securitylabs.datadoghq.com/articles/container-security-fundamentals-part-4/" target="_blank" rel="noopener">Container security fundamentals part 4: Cgroups</a></li> <li><a href="https://securitylabs.datadoghq.com/articles/container-security-fundamentals-part-5/" target="_blank" rel="noopener">Container security fundamentals part 5: AppArmor and SELinux</a></li> <li><a href="https://securitylabs.datadoghq.com/articles/container-security-fundamentals-part-6/" target="_blank" rel="noopener">Container security fundamentals part 6: seccomp </a></li> </ul>https://linzeyan.github.io/zh-tw/posts/2022/20221124-containers-from-scratch/Thu, 24 Nov 2022 13:10:14 +0800https://linzeyan.github.io/zh-tw/posts/2022/20221124-containers-from-scratch/<ul> <li><a href="https://ericchiang.github.io/post/containers-from-scratch/" target="_blank" rel="noopener">從零開始的容器</a></li> </ul> <h3 id="容器檔案系統">容器檔案系統</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ wget https://github.com/ericchiang/containers-from-scratch/releases/download/v0.1.0/rootfs.tar.gz </span></span><span style="display:flex;"><span>$ sha256sum rootfs.tar.gz </span></span><span style="display:flex;"><span>c79bfb46b9cf842055761a49161831aee8f4e667ad9e84ab57ab324a49bc828c rootfs.tar.gz </span></span><span style="display:flex;"><span>$ <span style="color:#75715e"># tar needs sudo to create /dev files and setup file ownership</span> </span></span><span style="display:flex;"><span>$ sudo tar -zxf rootfs.tar.gz </span></span><span style="display:flex;"><span>$ ls rootfs </span></span><span style="display:flex;"><span>bin dev home lib64 mnt proc run srv tmp var </span></span><span style="display:flex;"><span>boot etc lib media opt root sbin sys usr </span></span><span style="display:flex;"><span>$ ls -al rootfs/bin/ls </span></span><span style="display:flex;"><span>-rwxr-xr-x. <span style="color:#ae81ff">1</span> root root <span style="color:#ae81ff">118280</span> Mar <span style="color:#ae81ff">14</span> <span style="color:#ae81ff">2015</span> rootfs/bin/ls </span></span></code></pre></div><h3 id="chroot">chroot</h3> <p>它可以限制某個程序對檔案系統的視野。這裡我們把程序限制在 &ldquo;rootfs&rdquo; 目錄，然後執行一個 shell。</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ sudo chroot rootfs /bin/bash </span></span><span style="display:flex;"><span>root@localhost:/# ls / </span></span><span style="display:flex;"><span>bin dev home lib64 mnt proc run srv tmp var </span></span><span style="display:flex;"><span>boot etc lib media opt root sbin sys usr </span></span><span style="display:flex;"><span>root@localhost:/# which python </span></span><span style="display:flex;"><span>/usr/bin/python </span></span><span style="display:flex;"><span>root@localhost:/# /usr/bin/python -c <span style="color:#e6db74">&#39;print &#34;Hello, container world!&#34;&#39;</span> </span></span><span style="display:flex;"><span>Hello, container world! </span></span><span style="display:flex;"><span>root@localhost:/# </span></span></code></pre></div><p>當我們執行 Python 直譯器時，實際上是執行 <code>rootfs/usr/bin/python</code>，而不是宿主機的 Python。</p>