π I'm Building My Own Container Runtime!
This is part of a complete series where I'm building Conti - a container runtime from scratch. Check it out on GitHub!
About This Series:
- I'm sharing everything I learn while building my own container runtime
- Most concepts come from videos, documentation, and LLM-assisted learning (for educational purposes)
- Focus: Understanding through practice - raw Linux commands and practical implementation
- Important: When building your own container, DON'T copy code from sources - it kills the fun! Write it yourself, break things, debug, and learn.
Why Build Your Own?
- Deep understanding of how containers really work
- Master low-level Linux concepts
- Learn by doing, not just reading
- It's incredibly fun when things finally click!
Network Namespaces
What are Network Namespaces?
Network namespaces provide isolation of network resources, giving each application its own networking stack.
Three Key Network Resources
1. Network Devices
- Ethernet interfaces (eth0, eth1)
- Loopback device (lo)
- Virtual interfaces
2. IP Tables (Firewall Rules)
- Packet filtering rules
- NAT rules
- Security policies
3. Routing Tables
- Route decisions
- Gateway configurations
- Network paths
Visual Architecture
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Host System β
ββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββ βββββββββββββββββββββββ β
β β Default Namespace β β App Namespace β β
β βββββββββββββββββββββββ€ βββββββββββββββββββββββ€ β
β β Devices: β β Devices: β β
β β β’ lo (127.0.0.1) β β β’ lo (isolated) β β
β β β’ eth0 β β β β
β β β’ docker0 β β β β
β βββββββββββββββββββββββ€ βββββββββββββββββββββββ€ β
β β IPTables: β β IPTables: β β
β β β’ Complex rules β β β’ Default/empty β β
β β β’ Firewall config β β β’ Customizable β β
β βββββββββββββββββββββββ€ βββββββββββββββββββββββ€ β
β β Routing: β β Routing: β β
β β β’ Internet routes β β β’ Empty initially β β
β β β’ Local routes β β β’ Isolated β β
β βββββββββββββββββββββββ βββββββββββββββββββββββ β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
Practical Commands
View Network Resources on Host:
# List network devices
ip link list
# View IP tables rules (requires sudo)
sudo iptables --list
# Show routing table
ip route
Create Network Namespace:
# Create isolated namespace with network isolation
sudo unshare --pid --net --fork --mount-proc /bin/bash
# Inside namespace, check resources:
ip link list # Only loopback device
iptables --list # Different rules
ip route # Empty routing table
Use Cases for Network Namespaces
- Security Isolation: Prevent applications from accessing the internet
- Network Testing: Simulate different network conditions
- Container Networking: Foundation for Docker/Kubernetes networking
- Multi-tenancy: Separate network resources for different applications
UTS Namespaces
What are UTS Namespaces?
UTS (UNIX Time-Sharing) namespaces provide isolation of hostname and domain name.
Visual Concept
ββββββββββββββββββββββββββββββββββββββββββββββββ
β Host: "production-server" β
ββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββββ ββββββββββββββββββ β
β β Web App 1 β β Web App 2 β β
β β β β β β
β β Hostname: β β Hostname: β β
β β "webapp-01" β β "webapp-02" β β
β β β β β β
β β UTS Namespace β β UTS Namespace β β
β ββββββββββββββββββ ββββββββββββββββββ β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββ
Practical Implementation
# Create namespace with UTS isolation
sudo unshare --uts --pid --fork --mount-proc /bin/bash
# Change hostname in namespace
hostname webapp-01
# Reload bash to see change
exec bash
# Verify hostname
hostname
# Output: webapp-01
Benefits of UTS Namespaces
- Application Identity: Each container can have its own hostname
- Configuration Isolation: Applications can use hostname-based configs
- Testing: Simulate different server environments
IPC Namespaces
What are IPC Namespaces?
IPC (Inter-Process Communication) namespaces provide isolation of:
- System V IPC objects: Message queues, semaphores, shared memory
- POSIX message queues
IPC Resources Isolation
βββββββββββββββββββββββββββββββββββββββββββββββββ
β Host System β
βββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββ βββββββββββββββββββ β
β β Namespace 1 β β Namespace 2 β β
β βββββββββββββββββββ€ βββββββββββββββββββ€ β
β β Message Queue: β β Message Queue: β β
β β Key: 0x12345 β β Key: 0x67890 β β
β β β β β β
β β Processes can β β Processes can β β
β β only see their β β only see their β β
β β own queue β β own queue β β
β βββββββββββββββββββ βββββββββββββββββββ β
β β β β
β ββββββββββ¬ββββββββββββ β
β Isolated IPC β
βββββββββββββββββββββββββββββββββββββββββββββββββ
Practical Commands
# Create namespace with IPC isolation
sudo unshare --ipc --pid --fork --mount-proc /bin/bash
# Create a message queue
ipcmk -Q
# View message queues
ipcs -q
# The queue is only visible in this namespace
Commands Reference
Essential Commands Summary
| Command | Purpose | Example |
|---|---|---|
unshare |
Create new namespaces | sudo unshare --net --pid /bin/bash |
ip link |
View network devices | ip link list |
ip route |
View routing table | ip route show |
iptables |
View/modify firewall rules | sudo iptables -L |
hostname |
View/set hostname | hostname NewName |
ipcmk |
Create IPC resources | ipcmk -Q |
ipcs |
View IPC resources | ipcs -q |
Common Namespace Creation Patterns
# Complete isolation (all namespaces)
sudo unshare --uts --ipc --pid --net --fork --mount-proc /bin/bash
# Network testing environment
sudo unshare --net --fork /bin/bash
# Application container simulation
sudo unshare --pid --net --uts --ipc --fork --mount-proc /bin/bash
Summary
Key Takeaways
1. Network Namespaces provide:
- Isolated network devices
- Separate IP tables (firewall rules)
- Independent routing tables
- Foundation for container networking
2. UTS Namespaces enable:
- Hostname isolation
- Domain name isolation
- Per-container identity
3. IPC Namespaces offer:
- Message queue isolation
- Semaphore isolation
- Shared memory isolation
- Secure inter-process communication
Namespace Interaction Diagram
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β Linux Kernel β
βββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββββββββββββββββββββββββ β
β β Containerized Application β β
β βββββββββββββββββββββββββββββββββββββββββββββ€ β
β β β β
β β βββββββββββ βββββββββββ βββββββββββ β β
β β β PID β β NET β β UTS β β β
β β βNamespaceβ βNamespaceβ βNamespaceβ β β
β β βββββββββββ βββββββββββ βββββββββββ β β
β β β β
β β βββββββββββ βββββββββββ βββββββββββ β β
β β β IPC β β Mount β β User β β β
β β βNamespaceβ βNamespaceβ βNamespaceβ β β
β β βββββββββββ βββββββββββ βββββββββββ β β
β β β β
β β Complete Resource Isolation β β
β βββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
Real-World Applications
- Docker: Uses all namespace types for container isolation
- Kubernetes: Builds on namespaces for pod isolation
- systemd: Uses namespaces for service isolation
Top comments (0)