jLuger.de - Owncloud in a container: container and namespaces

As docker became more and more popular I've started to get my hands on it. For that I've searched the web after documentation and examples. While on that I've came across the following presentation: Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon. It introduced me to the concept of namesapces and how they are used to separate conatainers from each other and the host system.

Namespaces aren't docker specific. They are part of the Linux kernel. They even have their own man pages. For an easy start read this Wikipedia article. I will focus on the following three namesacpes as they are the import one for my project:
To play around with namespaces there is a comman line utility named unshare.

For the user namespace call
user@server:~$ unshare -U
The user is nobody because whe can't specify an id to which whe want to get mapped and this is a default.

To get root id call it like this:
user@server:~$ unshare -r
Now take a look at the filesystem:
root@server:~$ ls -l
drwxr-xr-x  2 root   root    4096 Sep 19 19:45 Documents
root@server:~$ ls -l /opt
drwxr-xr-x   2 nobody nogroup      12288 Okt 13 23:08 bin
Your files belong to root and the root files are mapped to nobody.

To check that your system isn't at risk see this:
root@server:~$ touch /bin/h
touch: cannot touch '/bin/h': Permission denied

What will work is chroot.

The PID namespace is a bit trickier to play with.
user@server:~$ unshare -p
unshare: unshare failed: Operation not permitted
To get it to start I also had to append the -f and -r option. Event than it didn't seem to be correctly as I still could see all other process. It took also the option --mount-proc to hide other processes.
user@server:~$ unshare -p -f --mount-proc -r
root@server:~# ps aux
root 1 2.0 0.0 19980 4852 pts/2 S 23:15 0:00 -bash
root 16 0.0 0.0 38980 3036 pts/2 R+ 23:15 0:00 ps aux
When you do a ps on another bash you will see the "-bash" command but it won't have PID 1 but another one.

As for the mount namespace: You pass option -m to unshare. But again you need to add the -r option.
user@server:~$ unshare -m
unshare: unshare failed: Operation not permitted
user@server:~$ unshare -r -m
Now you can do mount binds and other suff I din't bother to take a closer look.
To mention the obvious: Without the mount namespace the mapped user root won't be able to do any mounts.

This post is part of a series: