LINUX – WRITING A SIMPLE CONTAINER APP WITH NAMESPACES

One of the building blocks to implement containers is Linux namespaces. Namespaces control what a process can see. It can be the processes IDs, mount points, network adapters and more.

To use namespaces we call the clone(2) system call.

Creating a child process – fork vs clone

To create a new process in Linux, we can use fork(2) or clone(2) system calls. We use fork(2) to create a new child process with a separate memory mapping (using CoW) , we use clone(2) to create a child process that shares resources with its parent. One use of clone is to implement multithreading, other use is to implement namespaces

Namespaces with clone(2)

To create a child process in a new namespace and isolated resources we need to use one or more of the following flags :

• CLONE_NEWNET  – isolate network devices
• CLONE_NEWUTS – host and domain names (UNIX Timesharing System)
• CLONE_NEWIPC – IPC objects
• CLONE_NEWPID – PIDs
• CLONE_NEWNS – mount points (file systems)
• CLONE_NEWUSER – users and groups

Simple Example – NEWPID

To create a child process with PID=1 (new processes tree) call clone(2) with CLONE_NEWPID:

 

1	clone(child_fn, child_stack+5000, CLONE_NEWPID , NULL);

getpid() on the child process returns 1, getppid() returns 0. If the child process creates another child it will get a process id from the new tree

Full example:

 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44

#define _GNU_SOURCE #include <sched.h> #include <stdio.h> #include <stdlib.h> #include <sys/wait.h> #include <unistd.h> #include <sys/types.h> #include <signal.h>   static char child_stack[5000];     void grchild(int num) {   printf("child(%d) in ns my PID: %d Parent ID=%d ", num, getpid(),getppid());   sleep(5);   puts("end child"); }   int child_fn(int ppid) {   int i;   printf("PID: %ld Parent:%ld ", (long)getpid(), getppid());   for(i=0;i<3;i++)   {    if(fork() == 0)    {    grchild(i+1);      exit(0);    }    kill(ppid,SIGKILL); // no effect   }   sleep(2);   kill(2,SIGKILL); // kill the first child   sleep(10);   return 0; }   int main() {   pid_t pid = clone(child_fn, child_stack+5000, CLONE_NEWPID , getpid());   printf("clone() = %d ", pid);     waitpid(pid, NULL, 0);   return 0; }

The main creates a child process in a new PID namespace and send its PID to the child. The child creates 3 children.

If the child process try to kill the parent (out of its namespace) – nothing happens but it can kill a process in its namespace (in this case the first child)

If you build and run this sample (run with sudo)

 

1 2 3 4 5 6 7 8

# sudo ./simple clone() = 5439 PID: 1 Parent:0 child(3) in ns my PID: 4 Parent ID=1 child(2) in ns my PID: 3 Parent ID=1 child(1) in ns my PID: 2 Parent ID=1 end child end child

As you can see the PIDs are 1-4 and the first child didn’t finish (SIGKILL)

Isolates Network Interfaces

To create a child process with different network interfaces use CLONE_NEWNET:

 

1	pid_t pid = clone(child_fn, child_stack+1024*1024, CLONE_NEWNET , NULL);

To create a virtual network adapter we can run ip command:

 

1 2	# sudo ip link add name veth0 type veth peer name veth1 netns [child pid] # sudo ifconfig veth0 10.0.0.3

Now the child should run the command:

 

1	# ifconfig veth1 10.0.0.4

We can code all these commands but for simplicity lets use the system(3) library function

Full Example:

 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34

#define _GNU_SOURCE #include <sched.h> #include <stdio.h> #include <stdlib.h> #include <sys/wait.h> #include <unistd.h>     static char child_stack[1024*1024];   static int child_fn() {   sleep(1);   system("ifconfig veth1 10.0.0.4");   puts("========= child network interfaces ========");   system("ifconfig -a");   puts("===========================================");   sleep(1);   system("ping -c 3 10.0.0.3");   return 0; }   int main() {   char buf[255];     pid_t pid = clone(child_fn, child_stack+1024*1024, CLONE_NEWNET , NULL);     sprintf(buf,"ip link add name veth0 type veth peer name veth1 netns %d",pid);   system(buf);   system("ifconfig veth0 10.0.0.3");         waitpid(pid, NULL, 0);   return 0; }

Run this test – the output:

 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

========= child network interfaces ======== lo        Link encap:Local Loopback             LOOPBACK  MTU:65536  Metric:1           RX packets:0 errors:0 dropped:0 overruns:0 frame:0           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:1           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)   veth1     Link encap:Ethernet  HWaddr 7a:d6:68:fb:c0:04             inet addr:10.0.0.4  Bcast:10.255.255.255  Mask:255.0.0.0           inet6 addr: fe80::78d6:68ff:fefb:c004/64 Scope:Link           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1           RX packets:0 errors:0 dropped:0 overruns:0 frame:0           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:1000           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)   =========================================== PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data. 64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=0.076 ms 64 bytes from 10.0.0.3: icmp_seq=2 ttl=64 time=0.048 ms 64 bytes from 10.0.0.3: icmp_seq=3 ttl=64 time=0.071 ms   --- 10.0.0.3 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 1999ms rtt min/avg/max/mdev = 0.048/0.065/0.076/0.012 ms

The child sees only the virtual adapter and can ping the parent using it

Mount Points and file system

To implement a container we need to isolate also the file system. It can be done using CLONE_NEWNS. Before coding , lets build a simple file system using BusyBox or BuildRoot

The simplest way is using buildroot – it is based on busybox.

Download and extract the package, use make menuconfig to enter the configuration menu, just exit and save the default selection and run make

 

1 2 3 4

# tar xvf ./buildroot-2017.11.2.tar.bz2 # cd buildroot-2017.11.2 # make menuconfig # make

It will take a few minutes , after the build is finished you will find a file system in buildroot-2017.11.2/output/target

copy the content to another folder – in my example fs and add some device files to the /dev directory using mknod commands (buildroot can’t do that because it doesn’t run with sudo)

Full Example 

 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70

#define _GNU_SOURCE #include <sys/types.h> #include <sys/wait.h> #include <sys/mount.h> #include <stdio.h> #include <sched.h> #include <signal.h> #include <unistd.h> #include <sys/ioctl.h> #include <arpa/inet.h> #include <net/if.h> #include <string.h> #define STACK_SIZE (1024 * 1024)   static char stack[STACK_SIZE];   int setip(char *name,char *addr,char *netmask) {     struct ifreq ifr;     int fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_IP);       strncpy(ifr.ifr_name, name, IFNAMSIZ);          ifr.ifr_addr.sa_family = AF_INET;     inet_pton(AF_INET, addr, ifr.ifr_addr.sa_data + 2);     ioctl(fd, SIOCSIFADDR, &ifr);       inet_pton(AF_INET, netmask, ifr.ifr_addr.sa_data + 2);     ioctl(fd, SIOCSIFNETMASK, &ifr);       //get flags     ioctl(fd, SIOCGIFFLAGS, &ifr);       strncpy(ifr.ifr_name, name, IFNAMSIZ);     ifr.ifr_flags |= (IFF_UP | IFF_RUNNING);     // set flags     ioctl(fd, SIOCSIFFLAGS, &ifr);       return 0; }   int child(void* arg) {   char c;   sleep(1);   sethostname("myhost", 6);     chroot("./fs");   chdir("/");   mount("proc", "/proc", "proc", 0, NULL);     setip("veth1","10.0.0.15","255.0.0.0");   execlp("/bin/sh", "/bin/sh" , NULL);     return 1; }   int main() {   char buf[255];   pid_t pid = clone(child, stack+STACK_SIZE,       CLONE_NEWNET | CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWPID | CLONE_NEWNS | SIGCHLD, NULL);     sprintf(buf,"sudo ip link add name veth0 type veth peer name veth1 netns %d",pid);     system(buf);   setip("veth0","10.0.0.13","255.0.0.0");       waitpid(pid, NULL, 0);   return 0; }

We create a child process in a new namespace (with PIDs, network, mounts, IPC and UTS) , the parent configure the virtual adapters (using ip link) and set its ip address

The child change the hostname, change the root folder to our buildroot output , change the current directory to ‘/’ , mount proc so ps and other tools will work and set an ip address.

The last step the child does is calling the busybox shell (/bin/sh)

Run this program using sudo – you will get a different shell, file system and network:

Thats it!!

You can find the code with the full Buildroot image here

This is just a simple example to understand the concept. to implement a full container you need also to add capabilities, control groups and more