Containing Myself

Recently, for a variety of reasons, I got interested in how containers work in Linux. While my systems came with a version of the LXC container tools, I hadn't used containers for anything. But, a use-case appeared, and it piqued my interest. So I looked at containers and concluded that, if I were to use them, I would have to understand them first. And so, down the rabbit hole, I've gone.

The first thing that I discovered is that there is no such thing as a "container" in Linux. What the IT world calls a "container" is actually a confluence of several independant, but related, features implemented in the Linux kernel over the past couple of decades. So far, I've been able to sort them out into four technologies:

1. Capabilities, which subdivide the powers of the root user,
2. Namespaces, which allow processes to isolate or share their view of the system,
3. Mounts, who's expanded powers permit the sharing or isolation of multiple views of mounted filesystems, and
4. Cgroups, which provide a mechanism to limit the use of select system resources within groups of processes

I don't intend to expound on the features or usage of these various technologies; I list them simply to show that, individually, they are each complex and arcane studies that together make up the simple technology called "containers".

My plan of attack is to study each of these technologies, and to prove my study by building my own "container" system. I've taken the first steps with a "toy" container that succeeds in giving me a (not very configurable) isolated, "contained" environment to play in. I call this implementation "toybox", and will write more about it and my learning as I go.

But, for now, I will have to contain myself.