Container

用 Golang 從零打造容器（Liz Rice）

用 Golang 從零打造容器（Liz Rice） container-from-scratch-golang 隨著我們擴充這個小程式的功能，會依序探索以下主題，讓我們建立一個非正式環境的容器模擬。 UTS Namespace Chroot PID Namespace Mount Namespace Control Group Rootless Container

Wednesday, September 10, 2025 閱讀

Container security fundamentals

Container security fundamentals: Exploring containers as processes Container security fundamentals part 2: Isolation & namespaces Container security fundamentals part 3: Capabilities Container security fundamentals part 4: Cgroups Container security fundamentals part 5: AppArmor and SELinux Container security fundamentals part 6: seccomp

Wednesday, October 4, 2023 閱讀

從零開始的容器

從零開始的容器容器檔案系統 $ wget https://github.com/ericchiang/containers-from-scratch/releases/download/v0.1.0/rootfs.tar.gz $ sha256sum rootfs.tar.gz c79bfb46b9cf842055761a49161831aee8f4e667ad9e84ab57ab324a49bc828c rootfs.tar.gz $ # tar needs sudo to create /dev files and setup file ownership $ sudo tar -zxf rootfs.tar.gz $ ls rootfs bin dev home lib64 mnt proc run srv tmp var boot etc lib media opt root sbin sys usr $ ls -al rootfs/bin/ls -rwxr-xr-x. 1 root root 118280 Mar 14 2015 rootfs/bin/ls chroot 它可以限制某個程序對檔案系統的視野。這裡我們把程序限制在 “rootfs” 目錄，然後執行一個 shell。 $ sudo chroot rootfs /bin/bash root@localhost:/# ls / bin dev home lib64 mnt proc run srv tmp var boot etc lib media opt root sbin sys usr root@localhost:/# which python /usr/bin/python root@localhost:/# /usr/bin/python -c 'print "Hello, container world!"' Hello, container world! root@localhost:/# 當我們執行 Python 直譯器時，實際上是執行 rootfs/usr/bin/python，而不是宿主機的 Python。

Thursday, November 24, 2022 閱讀