Containerization has transformed the world of software development and deployment. Docker ↗️, a leading containerization platform, leverages Linux namespaces, cgroups, and chroot to provide robust isolation, resource management, and security.
In this guide, we’ll skip the theory (go through the attached links above if you want to learn more about the mentioned topics) and jump straight into the practical implementation.
Before we dive into building our own Docker-like environment using namespaces, cgroups, and chroot, it’s important to clarify that this hands-on guide is not intended to replace docker and its functionality.
Docker have features such as layered images, networking, container orchestration, and extensive tooling that make it a powerful and versatile solution for deploying applications.
The purpose of this guide is to offer an educational exploration of the foundational technologies that form the core of Docker. By building a basic container environment from scratch, we aim to gain a deeper understanding of how these underlying technologies work together to enable containerization.
To create an isolated environment, we start by setting up a new namespace.
We use the
unshare command, specifying different namespaces
(--uts, --pid, --net, --mount, and --ipc), which provide separate instances of system identifiers and resources for our container.
Read more in depth about unshare command on man page ↗️
Cgroups (control groups) help manage resource allocation and control the usage of system resources by our containerized processes.
We will create a new cgroup for our container and assign CPU quota limits to restrict its resource usage.
On the first line we create a new directory named
container1 within the
/sys/fs/cgroup/cpu/ directory. This directory will serve as the cgroup for our container.
On the second line we write the value
100000 to the cpu.cfs_quota_us file within the
/sys/fs/cgroup/cpu/container1/ directory. This file is used to set the CPU quota limit for the cgroup.
On the third line we write the value
0 to the tasks file within the
/sys/fs/cgroup/cpu/container1/ directory. The tasks file is used to control which processes are assigned to a particular cgroup.
0 to this file, we are removing any previously assigned processes from the cgroup. This ensures that no processes are initially assigned to the
And lastly, on the fourth line we write the value of
$$ to the tasks file within the
$$ is a special shell variable that represents the process ID (PID) of the current shell or script. By this, we are assigning the current process (the shell or script) to the container1 cgroup.
This ensures that any subsequent child processes spawned by the shell or script will also be part of the container1 cgroup, and their resource usage will be subject to the specified CPU quota limits.
To create the file system for our container, we use
debootstrap to set up a minimal Ubuntu environment within a directory named
This serves as the root file system for our container.
The first argument
focal specifies the Ubuntu release to install. In this case, we are installing Ubuntu 20.04 (Focal Fossa) ↗️.
The second argument
./ubuntu-rootfs specifies the directory to install the Ubuntu environment into. In this case, we are installing it into the
The third argument
http://archive.ubuntu.com/ubuntu/ specifies the URL of the Ubuntu repository to use for the installation.
More about debootstrap can be read on the man page ↗️
We mount essential file systems, such as
/dev, within our container’s root file system.
Then, we use the
chroot command to change the root directory to our container’s file system.
The first command mounts the
proc filesystem into the
./ubuntu-rootfs/proc directory. The
proc filesystem provides information about processes and system resources in a virtual file format.
proc filesystem in the specified directory allows processes within the
./ubuntu-rootfs/ environment to access and interact with the system’s process-related information.
The next command mounts the
sysfs filesystem into the
./ubuntu-rootfs/sys directory. The sysfs filesystem provides information about devices, drivers, and other kernel-related information in a hierarchical format.
sysfs filesystem in the specified directory enables processes within the
./ubuntu-rootfs/ environment to access and interact with system-related information exposed through the
Finally we bind the
/dev directory to the
./ubuntu-rootfs/dev directory. The
/dev directory contains device files that represent physical and virtual devices on the system.
By binding the
/dev directory to the
./ubuntu-rootfs/dev directory, any device files accessed within the
./ubuntu-rootfs/ environment will be redirected to the corresponding devices on the host system.
This ensures that the processes running within the
./ubuntu-rootfs/ environment can interact with the necessary devices as if they were directly accessing them on the host system.
Once we have mounted the necessary file systems, we use the
chroot command to change the root directory to the
./ubuntu-rootfs/ directory. Think of this as doing docker exec into the container.
Now that our container environment is set up, we can install and run applications within it.
In this example, we install Nginx web server to demonstrate how applications behave within the container.
In this guide, we built a basic Docker-like environment using Linux namespaces, cgroups, and chroot. We explored the code and command examples to gain a deeper understanding of how these technologies work together to create isolated and efficient containers.