Now you'll start creating something that behaves a bit like a container!

UTS Namespace

Copy the following and insert it at line 30 in main.go.

    cmd.SysProcAttr = &syscall.SysProcAttr{
        Cloneflags:   syscall.CLONE_NEWUTS,
    }

This adds some additional information describing the command we want to execute.

• CLONE_NEWUTS indicates that we want a new namespace for the "Unix Timesharing System". While this sounds complicated, for our purposes this just concerns the host name
• Cloneflags indicate flags for when the new process is "cloned" (created)

You will also need to add "syscall" to the list of imports at lines 3-7.

Before you run this, check the hostname:

hostname

You should see host01.

Ask this program to run a shell:

go run main.go run bash

Now try changing the hostname:

hostname something

Check the hostname within this shell:

hostname

You should see that this has changed. But this has only taken effect within your "container". There is a second terminal window onto the VM. If you run hostname directly on the VM you should see the original hostname hasn't changed.

hostname

Containerization

This illustrates one of the key aspects of containerization. The shell process has its own namespace for the hostname, which means that you can modify it without affecting the hostname for the rest of the VM. From the shell process's perspective, it can only see its own hostname in its own namespace.

You can also change the hostname on the VM without affecting the namespace that you'll see in the shell process. Try it!

These two commands run on Terminal 2 (the virtual machine):

hostname vm-host

hostname

The next command runs on Terminal 1 (your containerized shell):

hostname

Next step

In the next step you'll modify the program so that it sets up the hostname for the container automatically. Before moving on, terminate the program.

exit

You can change the hostname in go with a line like this:

syscall.Sethostname([]byte("container"))

But where could this go in the current program if you want to change the hostname just for the containerized process?

• If you add this line before the call to cmd.Run() then the new UTS namespace hasn't been created yet.
• If you add it after cmd.Run(), it wouldn't run until after the containerized process completes. When that process terminates, any new namespaces that were created for it will also be destroyed.

So in either case, the effect would be to set the hostname in the host's UTS namespace - and this would change the hostname for the host, not the cotnainer.

Cloning another process

The trick to making this work is to create another process.

• Clone one process with the new namespace
• Change the hostname within this process
• Then clone another process from this child to run the arbitrary command

To make your program do this, we can take advantage of the fact that it can run any command - including running itself. At the moment it expects run as the first argument, but we will make it handle another option, child.

Add another option into the switch statement; insert the following code at line 15:

        case "child":
            child()

Add the child() function. At the moment, this is just like run() except that it doesn't need to create a new namespace.

func child() {
    // Arguments 2 onwards are the arbitrary command we're going to run
    fmt.Printf("Running %v\n", os.Args[2:])

    // Set up a struct that describes the command we want to run
    cmd := exec.Command(os.Args[2], os.Args[3:]...)
    cmd.Stdin = os.Stdin
    cmd.Stdout = os.Stdout
    cmd.Stderr = os.Stderr

    // This is where we run the command
    err := cmd.Run()
    if err != nil {
      panic(fmt.Sprintf("running: %v\n", err))
    }
}

Modify the run() function so that instead of running the arbitrary command, it calls your program again, passing all the same arguments except replacing run with child. To do this, replace line 29 with these lines:

    args := os.Args
    args[1] = "child"
    cmd := exec.Command("/proc/self/exe", args[1:]...)

"/proc/self/exe" is always a link to the currently running executable. To test this out, try the following command:

ls -l /proc/self/exe

Try this version of the program:

go run main.go run echo hello

You should see the output from both run and child invocations of the process. Do you understand why the output appears in the order you see it?

Change the hostname

Now we have an opportunity to change the hostname within the child process, which has the new UTS namespace, before executing the arbitrary command. Insert the following lines at line 50:

    // Set the hostname for the container
    err := syscall.Sethostname([]byte("container"))
    if err != nil {
      panic(fmt.Sprintf("sethostname: %v\n", err))
    }

You will also need to change := to = at line 62 because the err variable is now being used earlier in this function.

Now, if you run a shell in your container you should find that the hostname has been set up for your container:

go run main.go run bash

hostname

Check that the host hasn't been affected (the next command will run in Terminal 2):

hostname

Next step

Now you have a program that can run an arbitrary command, inside a process that has its own hostname isolated from the host. In the next step you'll give this process its own limited view of the filesystem, using chroot.

Don't forget to quit out of the currently running shell before you move on.

exit

When you run a container, it has access to files and directories that come from its container image. We need to give our container its own set of files and directories. For illustration let's use Alpine Linux.

Download Alpine Linux

Let's download a copy of Alpine Linux to use for the "container image". Rather than using a real container image, you're going to download a tar file of the files and directories, and uncompress them into a normal directory on the file system.

mkdir alpine

cd alpine

curl -o alpine.tar.gz http://dl-cdn.alpinelinux.org/alpine/v3.10/releases/x86_64/alpine-minirootfs-3.10.0-x86_64.tar.gz

tar xvf alpine.tar.gz

Remove the compressed version:

rm alpine.tar.gz

Move back to the home directory and then check that the contents of the alpine directory look like a distribution of Alpine, with bin, lib, var, tmp and so on.

cd ..

ls alpine

Now you can use this alpine directory as the root for your container.

Changing the root

You change the root for the current process with syscall.Chroot(). This leaves you in an undefined location in the new directory hierarchy! So you also need to explicitly change directory with syscall.Chdir().

Copy the following lines and insert them into the child() function at line 56.

    // Change the root directory
    err = syscall.Chroot("/root/alpine")
    if err != nil {
      panic(fmt.Sprintf("chroot: %v\n", err))
    }

    // Move into the new root directory
    err = syscall.Chdir("/")
    if err != nil {
      panic(fmt.Sprintf("chdir: %v\n", err))
    }

Notes on executing a command in the new directory

Before running the program it's worth thinking about what is going to happen:

• Your program will move to running in a root directory that corresponds to /root/alpine
• It won't have access to any files outside of its new root directory
• If you want your program to run an executable, that executable file needs to be accessible - so it needs to be within the new root directory

In other words, your program will now only be able to run executables that exist within the alpine directory.

You've done nothing to change the PATH environment variable. Take a look at it:

echo $PATH

When you ask your arbitrary program to run a command, it will try to find in on the PATH, but in the context of the new root directory.

Compare what's in /bin on the machine with what's in /bin inside alpine:

ls /bin

ls /root/alpine/bin

Take a look at the contents of the root directory in your "container".

go run main.go run ls /

Try running a shell:

go run main.go run sh

Explore what's accessible within the container. Here are a few examples you might like to try, but feel free to try your own ideas!

ls /

pwd

When you're done, don't forget to exit the program.

exit

You can't run the bash shell now, because the bash executable isn't present inside the alpine directory. This is exactly how a container is restricted to running only the executables that are included in its container image.

(That's not 100% true - if you mount additional directories into the container, you can also run executables from those mounted directories. But without mounts, the container can only access its copy of the container image contents.)

Next steps

This is starting to feel like a container, right? By using chroot your process has access to a set of files and directories that are, to all intents and purposes, its own copy of Linux.

In a "proper" container, you can only see the processes running inside that container. In the next step we'll see how that's done, using the process ID namespace.

The aim here is that when you run ps inside a container, you should only see processes running inside that container, not on the host.

There are several different types of namespace, and earlier in this scenario we used the UTS namespace to give the process a hostname that is independent of the host's own hostname. Another type of namespace is the process ID (PID) namespace.

Create a PID namespace

Edit the code that's now at around lines 35-37 so that it requests a new PID namespace as well as a new UTS namespace:

    cmd.SysProcAttr = &syscall.SysProcAttr{
        Cloneflags:   syscall.CLONE_NEWUTS | syscall.CLONE_NEWPID,
    }

At the moment the code prints out what commands it's going to execute. Edit lines 26 and 48 to also shows the current process ID:

    fmt.Printf("Running %v, process ID %d\n", os.Args[2:], os.Getpid())

Ask this program to run a shell:

go run main.go run sh

• The run() function has a high-numbered process ID that has been allocated from the host's process namespace.
• The child() function has process ID 1, because it is the first process in the new process namespace.

Running ps

What do you expect to see when you run ps in this shell?

ps -eaf

At this point you should see no entries. Why doesn't this show at least an entry for the ps command you were just running? This is because of the way ps works.

What does ps do

The ps program finds out about running programs by looking in the /proc directory, which holds information about all the running processes. Take a look at /proc on the host:

ls /proc

This directory is mounted as a pseudo-filesystem so that the kernel knows that it should write process information here. You can see this by looking at the mounts:

mount | grep proc

You should see a mount of type proc at /proc.

However, inside your "container" there is nothing inside the /proc directory:

ls /proc

If you try to run mount inside your "container" you will see an error:

mount

In the next step you will add the mount point for proc, but first, exit the program.

exit

Next step

In the next step we will add a mount point for the proc pseudo-filesystem, so that you can run ps effectively inside your container.

In this step you will add code to mount the container's /proc directory as a proc pseudo-filesystem. To do this without affecting mounts on the host, add a new namespace for mounts.

The flag CLONE_NEWNS tells the kernel to create a new mount namespace for the new process. Modify the code at line 36 to request this namespace as well as the UTS and PID namespaces.

        Cloneflags:   syscall.CLONE_NEWUTS | syscall.CLONE_NEWPID | syscall.CLONE_NEWNS,

In the child() function, add the code to do the proc mount. This has to happen after the chroot call so that it refers to /proc from the container's perspective, so add this at line 68:

    // Mount the proc pseudo-filesystem
    err = syscall.Mount("proc", "proc", "proc", 0, "")
    if err != nil {
        panic(fmt.Sprintf("mount: %v\n", err))
    }

Run ps inside a container

Run a shell now, and run ps inside the container.

go run main.go run sh

ps

You can see that the processes inside your container all have low numbers.

ps -eaf

What's more, you can only see the processes that are inside your container. If you run ps -eaf on the host you will see a much longer list.

ps -eaf

Container processes from the host's perspective

These containerized processes are still visible from the host. One way to show this is with a long-running process that we can look at from outside the process. Inside the container, sleep for, say, 30 seconds.

sleep 30

While the sleep is still running, we can find that process from the host's perspective:

ps -C sleep

• ps with the -C parameter looks for processes with the specified name

You should see that the process is visible from the host, but it has a high-numbered process ID. You can even find the process for your shell, which you already know has a low-numbered process ID from the container's perspective.

ps -C sh