tiny-docker: the essence of docker in 100 lines of C++
To evaluate the filesystem segregation feature of this tiny-docker, you will initially need an additional ubuntu filesystem for tiny-docker execution and mounting activities. You can arrange this using your existing ubuntu with the subsequent instructions:
sudo tar -cpf ubuntu-fs.tar --exclude=/home --one-file-system /
mv ubuntu-fs.tar /parent/directory/of/tiny-docker
cd /parent/directory/of/tiny-docker
mkdir ubuntu-fs
mv ubuntu-fs.tar ubuntu-fs
cd ubuntu-fs
sudo tar xf ubuntu-fs.tar
As I usually perform all the commands within my $HOME
directory, ubuntu-fs.tar
is also omitted by the --exclude=/home
choice. If you don't execute these commands within your $HOME
, you can manually specify ubuntu-fs.tar
.
Following the prior setup, now you possess an ubuntu-fs
directory located in the parent path of tiny-docker
. You can now test it as follows:
make
sudo make run
The output will appear as:
./mocker run /bin/bash
Parent running /bin/bash as 40000
Child running /bin/bash as 1
root@container:/#
This indicates that hostname is separate. Furthermore, a ps aux
will show:
root@container:/# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 10916 4016 ? S 21:31 0:00 /bin/bash
root 10 0.0 0.0 12126 3504 ? R+ 21:32 0:00 ps aux
It is thereby clear, that pid namespace remains separate. A ls
will display:
root@container:/# ls
bin boot cdrom dev etc lib lib32 lib64 libx32 lost+found media mnt opt proc root run sbin snap srv swapfile sys tmp ubuntu-fs.tar usr var
The file system is also separate and you can even locate ubuntu-fs.tar
within your /
.
Show proc pseudo-filesystem mounts in host to establish that container mount points are not visible outside the container:
host@linux:~/tiny-docker$ cat /proc/mounts | grep ^proc
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0