Container from scratch

Using namespaces , we can start a process which will be completely isolated from other processes running in the system.

Create root File System

Create directory to store rootfs contents

$ mkdir -p /root/busybox/rootfs
$ CONTAINER_ROOT=/root/busybox/rootfs
$ cd ${CONTAINER_ROOT}

Download busybox binary

$ wget https://busybox.net/downloads/binaries/1.28.1-defconfig-multiarch/busybox-x86_64

Create needed directories and symlinks

$ mv busybox-x86_64 busybox
$ chmod 755 busybox
$ mkdir bin
$ mkdir proc
$ mkdir sys
$ mkdir tmp
$ for i in $(./busybox --list)
do
   ln -s /busybox bin/$i
done

Start Container

Start a shell in new contianer

$ unshare --mount --uts --ipc --net --pid --fork --user --map-root-user chroot ${CONTAINER_ROOT} /bin/sh

Mount essential kernel structures

$ mount -t proc none /proc
$ mount -t sysfs none /sys
$ mount -t tmpfs none /tmp

Configure networking

From Host system , create a veth pair and then map that to container

$ sudo ip link add vethlocal type veth  peer name vethNS
$ sudo ip link set vethlocal up
$ sudo ip link set vethNS up
$ sudo ps -ef |grep '/bin/sh'
$ sudo ip link set vethNS netns <pid of /bin/sh>

Container from scratch

Create root File System

Create directory to store rootfs contents

Download busybox binary

Create needed directories and symlinks

Start Container

Start a shell in new contianer

Mount essential kernel structures

Configure networking

From Host system , create a veth pair and then map that to container

From container , execute ip link

From container , execute `ip link`