DEV Community: Shubham Nainwal The latest articles on DEV Community by Shubham Nainwal (@shubham_nainwal_4cf0dbffb). https://dev.to/shubham_nainwal_4cf0dbffb https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3912705%2F4610c17f-9bc8-425e-9906-6adc25b74768.png DEV Community: Shubham Nainwal https://dev.to/shubham_nainwal_4cf0dbffb en Build Your Own Container Runtime in Go: From Zero to a Running Isolated Process Shubham Nainwal Sun, 17 May 2026 06:56:22 +0000 https://dev.to/shubham_nainwal_4cf0dbffb/build-your-own-container-runtime-in-go-from-zero-to-a-running-isolated-process-37ej https://dev.to/shubham_nainwal_4cf0dbffb/build-your-own-container-runtime-in-go-from-zero-to-a-running-isolated-process-37ej <p>I built <strong>gocount</strong> as a way to actually understand what Docker does under the hood. By the end of this post you'll have a working container runtime that boots an Alpine Linux shell in its own filesystem, PID tree, hostname, and network, with enforced memory and CPU limits, using nothing but Go and Linux kernel features.</p> <h2> Why Build a Container Runtime? </h2> <p>Containers feel like magic until you look at what's actually happening. When <code>docker run</code> executes, the kernel doesn't spin up a virtual machine. It just creates a process with a restricted view of the system, shaped by five or six kernel primitives that have been in Linux since 2008.</p> <p>Every production container runtime (Docker, Podman, containerd) is ultimately a thin orchestration layer on top of those primitives. Building one yourself is the fastest way to understand:</p> <ul> <li>What a container <strong>actually is</strong> (spoiler: it's a process)</li> <li>How <code>pivot_root</code> replaces the filesystem you see</li> <li>How cgroups enforce the memory limit that OOM-kills your app</li> <li>How the <code>veth</code> pair wires the container to the outside network</li> </ul> <h2> Prerequisites </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Requirement</th> <th>Why</th> </tr> </thead> <tbody> <tr> <td>Linux (kernel 5.10+ recommended)</td> <td>All the kernel features used here are Linux-specific</td> </tr> <tr> <td>Go 1.23+</td> <td>Module system + <code>syscall</code> / <code>golang.org/x/sys</code> </td> </tr> <tr> <td> <code>iproute2</code> (<code>ip</code> command)</td> <td>Creating and managing network interfaces</td> </tr> <tr> <td><code>iptables</code></td> <td>NAT masquerading for container internet access</td> </tr> <tr> <td>Root access</td> <td>Namespaces, cgroup creation, and <code>pivot_root</code> require it</td> </tr> <tr> <td><code>nsenter</code></td> <td>Moving a network interface into a namespace</td> </tr> </tbody> </table></div> <p>Check your kernel supports cgroup v2 (required for memory + CPU limits):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> /sys/fs/cgroup/cgroup.controllers <span class="c"># Should include: cpuset cpu io memory hugetlb pids rdma</span> </code></pre> </div> <h2> Project Layout </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gocount/ ├── main.go ├── go.mod ├── Makefile ├── cmd/ │ ├── root.go # cobra root command │ ├── run.go # run &amp; start subcommands + child setup │ ├── ps.go # list containers │ ├── stop.go # stop &amp; rm commands │ └── inspect.go # inspect a container └── internal/ ├── container/ │ ├── container.go # Container struct, in-memory map, JSON persistence │ ├── mount.go # pivot_root, /proc /sys /dev mounts, DNS │ └── utils.go # EnsureContainerDir ├── cgroups/ │ └── cgroups.go # cgroup v2 create / limits / delete ├── rootfs/ │ └── manager.go # download &amp; extract Alpine Linux rootfs └── network/ └── network.go # veth pair, IP forwarding, NAT, in-container setup </code></pre> </div> <p>Initialise it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>gocount <span class="o">&amp;&amp;</span> <span class="nb">cd </span>gocount go mod init gocount go get github.com/spf13/cobra@v1.10.1 go get golang.org/x/sys@v0.29.0 </code></pre> </div> <h2> Concept 1: Linux Namespaces </h2> <p>A namespace wraps a global resource and gives a process the illusion that it has its own isolated instance of that resource. gocount uses four:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Flag</th> <th>What it isolates</th> </tr> </thead> <tbody> <tr> <td><code>CLONE_NEWPID</code></td> <td>PID space — the container's first process is PID 1</td> </tr> <tr> <td><code>CLONE_NEWUTS</code></td> <td>Hostname and domain name</td> </tr> <tr> <td><code>CLONE_NEWNS</code></td> <td>Mount tree — filesystem changes are invisible to the host</td> </tr> <tr> <td><code>CLONE_NEWNET</code></td> <td>Network stack — the container gets its own <code>lo</code>, no host interfaces</td> </tr> </tbody> </table></div> <p>When you combine all four, the process is isolated enough to look and feel like a separate machine, even though it's sharing the same kernel as the host.</p> <h2> Concept 2: cgroup v2 </h2> <p>cgroup v2 is the kernel's resource accounting and limiting subsystem. It's a virtual filesystem mounted at <code>/sys/fs/cgroup</code>. You control a process by:</p> <ol> <li>Creating a subdirectory: <code>mkdir /sys/fs/cgroup/gocount/&lt;id&gt;</code> </li> <li>Writing the limit: <code>echo 104857600 &gt; /sys/fs/cgroup/gocount/&lt;id&gt;/memory.max</code> </li> <li>Writing the PID: <code>echo &lt;pid&gt; &gt; /sys/fs/cgroup/gocount/&lt;id&gt;/cgroup.procs</code> </li> </ol> <p>Once the PID is in the cgroup, the kernel enforces the limit. Exceed it and the OOM killer fires.</p> <h2> Concept 3: pivot_root </h2> <p><code>chroot</code> changes where a process looks for <code>/</code>, but <code>pivot_root</code> is stronger. It actually swaps the root mount point and lets you unmount the old one entirely, so the process can't escape back to the host filesystem.</p> <p>The steps:</p> <ol> <li>Bind-mount the new rootfs onto itself (required by the kernel)</li> <li>Create a <code>/.pivot_root</code> directory inside the new rootfs</li> <li>Call <code>pivot_root(newroot, newroot/.pivot_root)</code> </li> <li> <code>chdir("/")</code> to land inside the new root</li> <li>Unmount <code>/.pivot_root</code> with <code>MNT_DETACH</code> </li> <li>Remove <code>/.pivot_root</code> </li> </ol> <p>After step 6, the host filesystem is completely gone from the process's perspective.</p> <h2> Concept 4: veth pairs </h2> <p>A veth pair is a virtual Ethernet cable with two ends. When you move one end into the container's network namespace, you get a private point-to-point link between host and container. gocount then:</p> <ul> <li>Assigns <code>10.0.0.1/24</code> to the host end</li> <li>Assigns <code>10.0.0.2/24</code> to the container end</li> <li>Adds a default route through <code>10.0.0.1</code> </li> <li>Configures iptables NAT (masquerade) so the container can reach the internet</li> </ul> <h2> Step 1: Entry Point and CLI </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>main.go cmd/root.go </code></pre> </div> <p><code>main.go</code> is two lines:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// main.go</span> <span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="s">"gocount/cmd"</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">cmd</span><span class="o">.</span><span class="n">Execute</span><span class="p">()</span> <span class="p">}</span> </code></pre> </div> <p><code>cmd/root.go</code> registers the root cobra command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// cmd/root.go</span> <span class="k">package</span> <span class="n">cmd</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"fmt"</span> <span class="s">"os"</span> <span class="s">"github.com/spf13/cobra"</span> <span class="p">)</span> <span class="k">var</span> <span class="n">rootCmd</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">cobra</span><span class="o">.</span><span class="n">Command</span><span class="p">{</span> <span class="n">Use</span><span class="o">:</span> <span class="s">"gocount"</span><span class="p">,</span> <span class="n">Short</span><span class="o">:</span> <span class="s">"gocount is a minimal container runtime"</span><span class="p">,</span> <span class="n">Long</span><span class="o">:</span> <span class="s">`Run Linux processes in isolated namespaces, like a tiny Docker.`</span><span class="p">,</span> <span class="p">}</span> <span class="k">func</span> <span class="n">Execute</span><span class="p">()</span> <span class="p">{</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">rootCmd</span><span class="o">.</span><span class="n">Execute</span><span class="p">();</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="n">os</span><span class="o">.</span><span class="n">Exit</span><span class="p">(</span><span class="m">1</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Step 2: The Container Struct and Persistence </h2> <p>Every running container is represented by this struct and stored in two places: an in-memory map for fast lookup, and a JSON file under <code>/tmp/gocount/&lt;id&gt;.json</code> so it survives process restarts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// internal/container/container.go</span> <span class="k">package</span> <span class="n">container</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"encoding/json"</span> <span class="s">"fmt"</span> <span class="s">"math/rand"</span> <span class="s">"os"</span> <span class="s">"strings"</span> <span class="p">)</span> <span class="k">type</span> <span class="n">Container</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">ID</span> <span class="kt">string</span> <span class="n">Pid</span> <span class="kt">int</span> <span class="n">Command</span> <span class="p">[]</span><span class="kt">string</span> <span class="n">Status</span> <span class="kt">string</span> <span class="n">RootFs</span> <span class="kt">string</span> <span class="n">Cgroup</span> <span class="kt">string</span> <span class="p">}</span> <span class="k">var</span> <span class="n">Containers</span> <span class="o">=</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="o">*</span><span class="n">Container</span><span class="p">{}</span> <span class="k">func</span> <span class="n">GenerateID</span><span class="p">()</span> <span class="kt">string</span> <span class="p">{</span> <span class="n">letters</span> <span class="o">:=</span> <span class="s">"abcdefghijklmnopqrstuvwxyz0123456789"</span> <span class="n">id</span> <span class="o">:=</span> <span class="s">""</span> <span class="k">for</span> <span class="n">i</span> <span class="o">:=</span> <span class="m">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="m">8</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span> <span class="p">{</span> <span class="n">id</span> <span class="o">+=</span> <span class="kt">string</span><span class="p">(</span><span class="n">letters</span><span class="p">[</span><span class="n">rand</span><span class="o">.</span><span class="n">Intn</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">letters</span><span class="p">))])</span> <span class="p">}</span> <span class="k">return</span> <span class="n">id</span> <span class="p">}</span> <span class="k">func</span> <span class="n">SaveContainer</span><span class="p">(</span><span class="n">c</span> <span class="o">*</span><span class="n">Container</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">data</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">Marshal</span><span class="p">(</span><span class="n">c</span><span class="p">)</span> <span class="n">path</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"/tmp/gocount/%s.json"</span><span class="p">,</span> <span class="n">c</span><span class="o">.</span><span class="n">ID</span><span class="p">)</span> <span class="k">return</span> <span class="n">os</span><span class="o">.</span><span class="n">WriteFile</span><span class="p">(</span><span class="n">path</span><span class="p">,</span> <span class="n">data</span><span class="p">,</span> <span class="m">0644</span><span class="p">)</span> <span class="p">}</span> <span class="k">func</span> <span class="n">LoadContainers</span><span class="p">()</span> <span class="p">([]</span><span class="o">*</span><span class="n">Container</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">var</span> <span class="n">containers</span> <span class="p">[]</span><span class="o">*</span><span class="n">Container</span> <span class="n">files</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">ReadDir</span><span class="p">(</span><span class="s">"/tmp/gocount"</span><span class="p">)</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">f</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">files</span> <span class="p">{</span> <span class="k">if</span> <span class="n">f</span><span class="o">.</span><span class="n">IsDir</span><span class="p">()</span> <span class="o">||</span> <span class="o">!</span><span class="n">strings</span><span class="o">.</span><span class="n">HasSuffix</span><span class="p">(</span><span class="n">f</span><span class="o">.</span><span class="n">Name</span><span class="p">(),</span> <span class="s">".json"</span><span class="p">)</span> <span class="p">{</span> <span class="k">continue</span> <span class="p">}</span> <span class="n">data</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">ReadFile</span><span class="p">(</span><span class="s">"/tmp/gocount/"</span> <span class="o">+</span> <span class="n">f</span><span class="o">.</span><span class="n">Name</span><span class="p">())</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">Stderr</span><span class="p">,</span> <span class="s">"Warning: could not read %s: %v</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">f</span><span class="o">.</span><span class="n">Name</span><span class="p">(),</span> <span class="n">err</span><span class="p">)</span> <span class="k">continue</span> <span class="p">}</span> <span class="k">var</span> <span class="n">c</span> <span class="n">Container</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">Unmarshal</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">c</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">Stderr</span><span class="p">,</span> <span class="s">"Warning: could not parse %s: %v</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">f</span><span class="o">.</span><span class="n">Name</span><span class="p">(),</span> <span class="n">err</span><span class="p">)</span> <span class="k">continue</span> <span class="p">}</span> <span class="n">containers</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="n">containers</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">c</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">containers</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why two stores?</strong> The in-memory map is O(1) with no I/O overhead for commands that run in the same process lifetime as <code>run</code>. The JSON files persist state across invocations, so <code>ps</code>, <code>stop</code>, and <code>inspect</code> work even after the parent process exits.</p> <h2> Step 3: Downloading the Rootfs </h2> <p>A container needs a root filesystem. gocount downloads <strong>Alpine Linux minirootfs</strong> on first run. It's only ~3 MB compressed and contains a full <code>/bin/sh</code>, <code>ip</code>, <code>ping</code>, <code>python3</code>, and <code>apk</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// internal/rootfs/manager.go</span> <span class="k">const</span> <span class="n">DefaultRootfsURL</span> <span class="o">=</span> <span class="s">"https://dl-cdn.alpinelinux.org/alpine/v3.19/releases/x86_64/alpine-minirootfs-3.19.1-x86_64.tar.gz"</span> <span class="k">func</span> <span class="n">EnsureRootfs</span><span class="p">(</span><span class="n">rootfsDir</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">if</span> <span class="n">isValidRootfs</span><span class="p">(</span><span class="n">rootfsDir</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"Rootfs not found. Downloading Alpine Linux rootfs..."</span><span class="p">)</span> <span class="k">return</span> <span class="n">DownloadAndExtractRootfs</span><span class="p">(</span><span class="n">DefaultRootfsURL</span><span class="p">,</span> <span class="n">rootfsDir</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><code>isValidRootfs</code> checks that <code>bin/</code>, <code>lib/</code>, <code>etc/</code>, <code>usr/</code>, and <code>bin/sh</code> all exist. If any are missing the tarball is re-downloaded.</p> <p><strong>Security note: zip-slip protection.</strong> When extracting the tarball every header path is validated to stay inside the destination directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">target</span> <span class="o">:=</span> <span class="n">filepath</span><span class="o">.</span><span class="n">Join</span><span class="p">(</span><span class="n">destPath</span><span class="p">,</span> <span class="n">header</span><span class="o">.</span><span class="n">Name</span><span class="p">)</span> <span class="k">if</span> <span class="o">!</span><span class="n">strings</span><span class="o">.</span><span class="n">HasPrefix</span><span class="p">(</span> <span class="n">filepath</span><span class="o">.</span><span class="n">Clean</span><span class="p">(</span><span class="n">target</span><span class="p">)</span><span class="o">+</span><span class="kt">string</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">PathSeparator</span><span class="p">),</span> <span class="n">filepath</span><span class="o">.</span><span class="n">Clean</span><span class="p">(</span><span class="n">destPath</span><span class="p">)</span><span class="o">+</span><span class="kt">string</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">PathSeparator</span><span class="p">),</span> <span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"illegal path in tar archive: %s"</span><span class="p">,</span> <span class="n">header</span><span class="o">.</span><span class="n">Name</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>A crafted tar with <code>../../etc/passwd</code> entries would otherwise silently overwrite host files.</p> <p>The rootfs is stored at <code>/tmp/gocount/&lt;id&gt;/rootfs</code> and reused across runs sharing the same ID. On the very first <code>gocount run</code> you'll see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Rootfs not found. Downloading Alpine Linux rootfs... Downloading from https://dl-cdn.alpinelinux.org/alpine/... Extracting rootfs... Rootfs setup complete! </code></pre> </div> <p>Subsequent runs are instant because <code>isValidRootfs</code> passes immediately.</p> <h2> Step 4: cgroup v2 Resource Limits </h2> <p>The cgroup code lives entirely in <code>internal/cgroups/cgroups.go</code>. The interface is simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Create a cgroup for a container</span> <span class="n">cgPath</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">cgroups</span><span class="o">.</span><span class="n">Create</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="c">// Apply limits (empty string = skip)</span> <span class="n">cgroups</span><span class="o">.</span><span class="n">SetMemoryLimit</span><span class="p">(</span><span class="n">cgPath</span><span class="p">,</span> <span class="s">"100M"</span><span class="p">)</span> <span class="c">// supports M and G suffixes</span> <span class="n">cgroups</span><span class="o">.</span><span class="n">SetCPUQuota</span><span class="p">(</span><span class="n">cgPath</span><span class="p">,</span> <span class="s">"50000 100000"</span><span class="p">)</span> <span class="c">// quota/period in microseconds</span> <span class="c">// Add a process to the cgroup</span> <span class="n">cgroups</span><span class="o">.</span><span class="n">AddProc</span><span class="p">(</span><span class="n">cgPath</span><span class="p">,</span> <span class="n">pid</span><span class="p">)</span> </code></pre> </div> <p><strong>How memory limits are applied:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">SetMemoryLimit</span><span class="p">(</span><span class="n">cgPath</span><span class="p">,</span> <span class="n">limit</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">if</span> <span class="n">limit</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="n">val</span> <span class="o">:=</span> <span class="n">limit</span> <span class="k">if</span> <span class="n">strings</span><span class="o">.</span><span class="n">HasSuffix</span><span class="p">(</span><span class="n">limit</span><span class="p">,</span> <span class="s">"M"</span><span class="p">)</span> <span class="p">{</span> <span class="n">mb</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">strconv</span><span class="o">.</span><span class="n">ParseInt</span><span class="p">(</span><span class="n">strings</span><span class="o">.</span><span class="n">TrimSuffix</span><span class="p">(</span><span class="n">limit</span><span class="p">,</span> <span class="s">"M"</span><span class="p">),</span> <span class="m">10</span><span class="p">,</span> <span class="m">64</span><span class="p">)</span> <span class="n">val</span> <span class="o">=</span> <span class="n">strconv</span><span class="o">.</span><span class="n">FormatInt</span><span class="p">(</span><span class="n">mb</span><span class="o">*</span><span class="m">1024</span><span class="o">*</span><span class="m">1024</span><span class="p">,</span> <span class="m">10</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="n">strings</span><span class="o">.</span><span class="n">HasSuffix</span><span class="p">(</span><span class="n">limit</span><span class="p">,</span> <span class="s">"G"</span><span class="p">)</span> <span class="p">{</span> <span class="n">gb</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">strconv</span><span class="o">.</span><span class="n">ParseInt</span><span class="p">(</span><span class="n">strings</span><span class="o">.</span><span class="n">TrimSuffix</span><span class="p">(</span><span class="n">limit</span><span class="p">,</span> <span class="s">"G"</span><span class="p">),</span> <span class="m">10</span><span class="p">,</span> <span class="m">64</span><span class="p">)</span> <span class="n">val</span> <span class="o">=</span> <span class="n">strconv</span><span class="o">.</span><span class="n">FormatInt</span><span class="p">(</span><span class="n">gb</span><span class="o">*</span><span class="m">1024</span><span class="o">*</span><span class="m">1024</span><span class="o">*</span><span class="m">1024</span><span class="p">,</span> <span class="m">10</span><span class="p">)</span> <span class="p">}</span> <span class="n">writeFile</span><span class="p">(</span><span class="n">filepath</span><span class="o">.</span><span class="n">Join</span><span class="p">(</span><span class="n">cgPath</span><span class="p">,</span> <span class="s">"memory.max"</span><span class="p">),</span> <span class="n">val</span><span class="p">)</span> <span class="n">writeFile</span><span class="p">(</span><span class="n">filepath</span><span class="o">.</span><span class="n">Join</span><span class="p">(</span><span class="n">cgPath</span><span class="p">,</span> <span class="s">"memory.swap.max"</span><span class="p">),</span> <span class="s">"0"</span><span class="p">)</span> <span class="c">// disable swap</span> <span class="n">writeFile</span><span class="p">(</span><span class="n">filepath</span><span class="o">.</span><span class="n">Join</span><span class="p">(</span><span class="n">cgPath</span><span class="p">,</span> <span class="s">"memory.oom.group"</span><span class="p">),</span> <span class="s">"1"</span><span class="p">)</span> <span class="c">// kill whole cgroup on OOM</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p><strong>CPU quota</strong> uses cgroup v2's <code>cpu.max</code> format: <code>&lt;quota_microseconds&gt; &lt;period_microseconds&gt;</code>. For example <code>"50000 100000"</code> means 50 ms out of every 100 ms period, which works out to 50% of one CPU core.</p> <p><strong>Important:</strong> The cgroup is created <strong>before</strong> the child process starts, so limits are in place the moment the container process writes its PID to <code>cgroup.procs</code>.</p> <h2> Step 5: The <code>run</code> Command (Parent Side) </h2> <p>This is the heart of gocount. The <code>run</code> command works by re-executing itself, a classic self-re-exec pattern used by runc and lxc.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gocount run /bin/sh │ ├─ parent: sets up cgroup, starts child with namespaces │ └─ child (GOCOUNT_CHILD=1): pivot_root, mount /proc /sys /dev, wait for veth, configure eth0, exec /bin/sh </code></pre> </div> <p><strong>Why self-re-exec?</strong> Go's runtime starts multiple threads before <code>main()</code>. <code>clone(CLONE_NEWPID)</code> in a multi-threaded process can leave threads in inconsistent namespaces. Re-executing <code>/proc/self/exe</code> gives us a fresh, single-threaded process that enters the namespace cleanly from the very start.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// cmd/run.go (parent side, simplified)</span> <span class="n">id</span> <span class="o">:=</span> <span class="n">container</span><span class="o">.</span><span class="n">GenerateID</span><span class="p">()</span> <span class="n">rootdir</span> <span class="o">:=</span> <span class="s">"/tmp/gocount/"</span> <span class="o">+</span> <span class="n">id</span> <span class="o">+</span> <span class="s">"/rootfs"</span> <span class="n">rootfs</span><span class="o">.</span><span class="n">EnsureRootfs</span><span class="p">(</span><span class="n">rootdir</span><span class="p">)</span> <span class="n">cgPath</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">cgroups</span><span class="o">.</span><span class="n">Create</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="n">cgroups</span><span class="o">.</span><span class="n">SetMemoryLimit</span><span class="p">(</span><span class="n">cgPath</span><span class="p">,</span> <span class="n">flagMemory</span><span class="p">)</span> <span class="n">cgroups</span><span class="o">.</span><span class="n">SetCPUQuota</span><span class="p">(</span><span class="n">cgPath</span><span class="p">,</span> <span class="n">flagCPU</span><span class="p">)</span> <span class="n">command</span> <span class="o">:=</span> <span class="n">exec</span><span class="o">.</span><span class="n">Command</span><span class="p">(</span><span class="s">"/proc/self/exe"</span><span class="p">,</span> <span class="nb">append</span><span class="p">([]</span><span class="kt">string</span><span class="p">{</span><span class="s">"run"</span><span class="p">},</span> <span class="n">args</span><span class="o">...</span><span class="p">)</span><span class="o">...</span><span class="p">)</span> <span class="n">command</span><span class="o">.</span><span class="n">Env</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">Environ</span><span class="p">(),</span> <span class="s">"GOCOUNT_CHILD=1"</span><span class="p">,</span> <span class="s">"GOCOUNT_CONTAINER_ID="</span><span class="o">+</span><span class="n">id</span><span class="p">,</span> <span class="s">"GOCOUNT_ROOTFS="</span><span class="o">+</span><span class="n">rootdir</span><span class="p">,</span> <span class="p">)</span> <span class="n">command</span><span class="o">.</span><span class="n">SysProcAttr</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">syscall</span><span class="o">.</span><span class="n">SysProcAttr</span><span class="p">{</span> <span class="n">Cloneflags</span><span class="o">:</span> <span class="n">syscall</span><span class="o">.</span><span class="n">CLONE_NEWUTS</span> <span class="o">|</span> <span class="n">syscall</span><span class="o">.</span><span class="n">CLONE_NEWPID</span> <span class="o">|</span> <span class="n">syscall</span><span class="o">.</span><span class="n">CLONE_NEWNS</span> <span class="o">|</span> <span class="n">syscall</span><span class="o">.</span><span class="n">CLONE_NEWNET</span><span class="p">,</span> <span class="p">}</span> <span class="n">command</span><span class="o">.</span><span class="n">Start</span><span class="p">()</span> <span class="n">network</span><span class="o">.</span><span class="n">SetupVethPair</span><span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="n">command</span><span class="o">.</span><span class="n">Process</span><span class="o">.</span><span class="n">Pid</span><span class="p">)</span> <span class="c">// host-side networking</span> <span class="n">c</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">container</span><span class="o">.</span><span class="n">Container</span><span class="p">{</span> <span class="n">ID</span><span class="o">:</span> <span class="n">id</span><span class="p">,</span> <span class="n">Pid</span><span class="o">:</span> <span class="n">command</span><span class="o">.</span><span class="n">Process</span><span class="o">.</span><span class="n">Pid</span><span class="p">,</span> <span class="n">Command</span><span class="o">:</span> <span class="n">args</span><span class="p">,</span> <span class="n">Status</span><span class="o">:</span> <span class="s">"running"</span><span class="p">,</span> <span class="n">RootFs</span><span class="o">:</span> <span class="n">rootdir</span><span class="p">,</span> <span class="n">Cgroup</span><span class="o">:</span> <span class="n">cgPath</span><span class="p">,</span> <span class="p">}</span> <span class="n">container</span><span class="o">.</span><span class="n">Containers</span><span class="p">[</span><span class="n">id</span><span class="p">]</span> <span class="o">=</span> <span class="n">c</span> <span class="n">container</span><span class="o">.</span><span class="n">SaveContainer</span><span class="p">(</span><span class="n">c</span><span class="p">)</span> <span class="n">command</span><span class="o">.</span><span class="n">Wait</span><span class="p">()</span> </code></pre> </div> <h2> Step 6: The <code>run</code> Command (Child Side) </h2> <p>When the child detects <code>GOCOUNT_CHILD=1</code> it calls <code>childSetup</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">childSetup</span><span class="p">(</span><span class="n">args</span> <span class="p">[]</span><span class="kt">string</span><span class="p">)</span> <span class="p">{</span> <span class="n">rootfsPath</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"GOCOUNT_ROOTFS"</span><span class="p">)</span> <span class="n">containerID</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"GOCOUNT_CONTAINER_ID"</span><span class="p">)</span> <span class="c">// Join the pre-created cgroup</span> <span class="n">cgPath</span> <span class="o">:=</span> <span class="n">filepath</span><span class="o">.</span><span class="n">Join</span><span class="p">(</span><span class="s">"/sys/fs/cgroup"</span><span class="p">,</span> <span class="s">"gocount"</span><span class="p">,</span> <span class="n">containerID</span><span class="p">)</span> <span class="n">cgroups</span><span class="o">.</span><span class="n">AddProc</span><span class="p">(</span><span class="n">cgPath</span><span class="p">,</span> <span class="n">os</span><span class="o">.</span><span class="n">Getpid</span><span class="p">())</span> <span class="c">// Switch to the isolated filesystem</span> <span class="n">container</span><span class="o">.</span><span class="n">SetupMount</span><span class="p">(</span><span class="n">rootfsPath</span><span class="p">)</span> <span class="c">// Set container hostname</span> <span class="n">syscall</span><span class="o">.</span><span class="n">Sethostname</span><span class="p">([]</span><span class="kt">byte</span><span class="p">(</span><span class="s">"gocount"</span><span class="p">))</span> <span class="c">// Wait up to 5s for the parent to wire the veth pair</span> <span class="k">for</span> <span class="n">i</span> <span class="o">:=</span> <span class="m">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="m">50</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span> <span class="p">{</span> <span class="k">if</span> <span class="n">exec</span><span class="o">.</span><span class="n">Command</span><span class="p">(</span><span class="s">"ip"</span><span class="p">,</span> <span class="s">"link"</span><span class="p">,</span> <span class="s">"show"</span><span class="p">,</span> <span class="s">"eth0"</span><span class="p">)</span><span class="o">.</span><span class="n">Run</span><span class="p">()</span> <span class="o">==</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">break</span> <span class="p">}</span> <span class="n">time</span><span class="o">.</span><span class="n">Sleep</span><span class="p">(</span><span class="m">100</span> <span class="o">*</span> <span class="n">time</span><span class="o">.</span><span class="n">Millisecond</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Configure eth0 and default route</span> <span class="n">network</span><span class="o">.</span><span class="n">SetupNetworkInsideContainer</span><span class="p">()</span> <span class="c">// Replace this process with the user's command — it becomes PID 1</span> <span class="n">syscall</span><span class="o">.</span><span class="n">Exec</span><span class="p">(</span><span class="n">args</span><span class="p">[</span><span class="m">0</span><span class="p">],</span> <span class="n">args</span><span class="p">,</span> <span class="n">os</span><span class="o">.</span><span class="n">Environ</span><span class="p">())</span> <span class="p">}</span> </code></pre> </div> <p>The <code>syscall.Exec</code> call is critical. It replaces the Go runtime with the container's process so that the user's command is PID 1 inside the container.</p> <h2> Step 7: Filesystem Isolation with pivot_root </h2> <p><code>SetupMount</code> is called inside the child, after it enters the new mount namespace:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// internal/container/mount.go</span> <span class="k">func</span> <span class="n">SetupMount</span><span class="p">(</span><span class="n">rootfs</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">rootfs</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="n">filepath</span><span class="o">.</span><span class="n">Abs</span><span class="p">(</span><span class="n">rootfs</span><span class="p">)</span> <span class="c">// Make the current mount tree private so host cannot see our changes</span> <span class="n">syscall</span><span class="o">.</span><span class="n">Mount</span><span class="p">(</span><span class="s">""</span><span class="p">,</span> <span class="s">"/"</span><span class="p">,</span> <span class="s">""</span><span class="p">,</span> <span class="n">syscall</span><span class="o">.</span><span class="n">MS_REC</span><span class="o">|</span><span class="n">syscall</span><span class="o">.</span><span class="n">MS_PRIVATE</span><span class="p">,</span> <span class="s">""</span><span class="p">)</span> <span class="c">// Bind mount rootfs onto itself (kernel requirement for pivot_root)</span> <span class="n">syscall</span><span class="o">.</span><span class="n">Mount</span><span class="p">(</span><span class="n">rootfs</span><span class="p">,</span> <span class="n">rootfs</span><span class="p">,</span> <span class="s">""</span><span class="p">,</span> <span class="n">syscall</span><span class="o">.</span><span class="n">MS_BIND</span><span class="o">|</span><span class="n">syscall</span><span class="o">.</span><span class="n">MS_REC</span><span class="p">,</span> <span class="s">""</span><span class="p">)</span> <span class="c">// Create a directory to receive the old root</span> <span class="n">putold</span> <span class="o">:=</span> <span class="n">filepath</span><span class="o">.</span><span class="n">Join</span><span class="p">(</span><span class="n">rootfs</span><span class="p">,</span> <span class="s">".pivot_root"</span><span class="p">)</span> <span class="n">os</span><span class="o">.</span><span class="n">MkdirAll</span><span class="p">(</span><span class="n">putold</span><span class="p">,</span> <span class="m">0700</span><span class="p">)</span> <span class="c">// Swap the root mount</span> <span class="n">syscall</span><span class="o">.</span><span class="n">PivotRoot</span><span class="p">(</span><span class="n">rootfs</span><span class="p">,</span> <span class="n">putold</span><span class="p">)</span> <span class="n">os</span><span class="o">.</span><span class="n">Chdir</span><span class="p">(</span><span class="s">"/"</span><span class="p">)</span> <span class="c">// Detach and remove the old root</span> <span class="n">syscall</span><span class="o">.</span><span class="n">Unmount</span><span class="p">(</span><span class="s">"/.pivot_root"</span><span class="p">,</span> <span class="n">syscall</span><span class="o">.</span><span class="n">MNT_DETACH</span><span class="p">)</span> <span class="n">os</span><span class="o">.</span><span class="n">RemoveAll</span><span class="p">(</span><span class="s">"/.pivot_root"</span><span class="p">)</span> <span class="c">// Mount essential virtual filesystems</span> <span class="n">syscall</span><span class="o">.</span><span class="n">Mount</span><span class="p">(</span><span class="s">"proc"</span><span class="p">,</span> <span class="s">"/proc"</span><span class="p">,</span> <span class="s">"proc"</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="s">""</span><span class="p">)</span> <span class="n">syscall</span><span class="o">.</span><span class="n">Mount</span><span class="p">(</span><span class="s">"sysfs"</span><span class="p">,</span> <span class="s">"/sys"</span><span class="p">,</span> <span class="s">"sysfs"</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="s">""</span><span class="p">)</span> <span class="n">syscall</span><span class="o">.</span><span class="n">Mount</span><span class="p">(</span><span class="s">"tmpfs"</span><span class="p">,</span> <span class="s">"/dev"</span><span class="p">,</span> <span class="s">"tmpfs"</span><span class="p">,</span> <span class="n">syscall</span><span class="o">.</span><span class="n">MS_NOSUID</span><span class="o">|</span><span class="n">syscall</span><span class="o">.</span><span class="n">MS_STRICTATIME</span><span class="p">,</span> <span class="s">"mode=755"</span><span class="p">)</span> <span class="n">createDeviceNodes</span><span class="p">()</span> <span class="c">// /dev/null, /dev/zero, /dev/urandom, etc.</span> <span class="n">setupDNS</span><span class="p">()</span> <span class="c">// write 8.8.8.8 to /etc/resolv.conf</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>After <code>PivotRoot</code>, <code>/</code> is the Alpine rootfs. The host's <code>/home</code>, <code>/etc</code>, <code>/proc</code> — none of it is visible.</p> <h2> Step 8: Networking with veth Pairs </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// internal/network/network.go (host side)</span> <span class="k">func</span> <span class="n">SetupVethPair</span><span class="p">(</span><span class="n">containerID</span> <span class="kt">string</span><span class="p">,</span> <span class="n">pid</span> <span class="kt">int</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">hostIf</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"veth-%s"</span><span class="p">,</span> <span class="n">containerID</span><span class="p">[</span><span class="o">:</span><span class="m">8</span><span class="p">])</span> <span class="c">// e.g. veth-a1b2c3d4</span> <span class="n">containerIf</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"vethc-%s"</span><span class="p">,</span> <span class="n">containerID</span><span class="p">[</span><span class="o">:</span><span class="m">7</span><span class="p">])</span> <span class="c">// temporary name</span> <span class="c">// Create the pair</span> <span class="n">exec</span><span class="o">.</span><span class="n">Command</span><span class="p">(</span><span class="s">"ip"</span><span class="p">,</span> <span class="s">"link"</span><span class="p">,</span> <span class="s">"add"</span><span class="p">,</span> <span class="n">hostIf</span><span class="p">,</span> <span class="s">"type"</span><span class="p">,</span> <span class="s">"veth"</span><span class="p">,</span> <span class="s">"peer"</span><span class="p">,</span> <span class="s">"name"</span><span class="p">,</span> <span class="n">containerIf</span><span class="p">)</span><span class="o">.</span><span class="n">Run</span><span class="p">()</span> <span class="c">// Move one end into the container's network namespace</span> <span class="n">exec</span><span class="o">.</span><span class="n">Command</span><span class="p">(</span><span class="s">"ip"</span><span class="p">,</span> <span class="s">"link"</span><span class="p">,</span> <span class="s">"set"</span><span class="p">,</span> <span class="n">containerIf</span><span class="p">,</span> <span class="s">"netns"</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"%d"</span><span class="p">,</span> <span class="n">pid</span><span class="p">))</span><span class="o">.</span><span class="n">Run</span><span class="p">()</span> <span class="c">// Rename to eth0 inside the container namespace</span> <span class="n">exec</span><span class="o">.</span><span class="n">Command</span><span class="p">(</span><span class="s">"nsenter"</span><span class="p">,</span> <span class="s">"-t"</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"%d"</span><span class="p">,</span> <span class="n">pid</span><span class="p">),</span> <span class="s">"-n"</span><span class="p">,</span> <span class="s">"ip"</span><span class="p">,</span> <span class="s">"link"</span><span class="p">,</span> <span class="s">"set"</span><span class="p">,</span> <span class="n">containerIf</span><span class="p">,</span> <span class="s">"name"</span><span class="p">,</span> <span class="s">"eth0"</span><span class="p">)</span><span class="o">.</span><span class="n">Run</span><span class="p">()</span> <span class="c">// Bring up and address the host end</span> <span class="n">exec</span><span class="o">.</span><span class="n">Command</span><span class="p">(</span><span class="s">"ip"</span><span class="p">,</span> <span class="s">"link"</span><span class="p">,</span> <span class="s">"set"</span><span class="p">,</span> <span class="n">hostIf</span><span class="p">,</span> <span class="s">"up"</span><span class="p">)</span><span class="o">.</span><span class="n">Run</span><span class="p">()</span> <span class="n">exec</span><span class="o">.</span><span class="n">Command</span><span class="p">(</span><span class="s">"ip"</span><span class="p">,</span> <span class="s">"addr"</span><span class="p">,</span> <span class="s">"add"</span><span class="p">,</span> <span class="s">"10.0.0.1/24"</span><span class="p">,</span> <span class="s">"dev"</span><span class="p">,</span> <span class="n">hostIf</span><span class="p">)</span><span class="o">.</span><span class="n">Run</span><span class="p">()</span> <span class="n">EnableIPForwarding</span><span class="p">()</span> <span class="n">SetupNAT</span><span class="p">()</span> <span class="c">// iptables MASQUERADE for 10.0.0.0/24</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>Inside the container, <code>SetupNetworkInsideContainer</code> mirrors this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">exec</span><span class="o">.</span><span class="n">Command</span><span class="p">(</span><span class="s">"ip"</span><span class="p">,</span> <span class="s">"link"</span><span class="p">,</span> <span class="s">"set"</span><span class="p">,</span> <span class="s">"lo"</span><span class="p">,</span> <span class="s">"up"</span><span class="p">)</span><span class="o">.</span><span class="n">Run</span><span class="p">()</span> <span class="n">exec</span><span class="o">.</span><span class="n">Command</span><span class="p">(</span><span class="s">"ip"</span><span class="p">,</span> <span class="s">"link"</span><span class="p">,</span> <span class="s">"set"</span><span class="p">,</span> <span class="s">"eth0"</span><span class="p">,</span> <span class="s">"up"</span><span class="p">)</span><span class="o">.</span><span class="n">Run</span><span class="p">()</span> <span class="n">exec</span><span class="o">.</span><span class="n">Command</span><span class="p">(</span><span class="s">"ip"</span><span class="p">,</span> <span class="s">"addr"</span><span class="p">,</span> <span class="s">"add"</span><span class="p">,</span> <span class="s">"10.0.0.2/24"</span><span class="p">,</span> <span class="s">"dev"</span><span class="p">,</span> <span class="s">"eth0"</span><span class="p">)</span><span class="o">.</span><span class="n">Run</span><span class="p">()</span> <span class="n">exec</span><span class="o">.</span><span class="n">Command</span><span class="p">(</span><span class="s">"ip"</span><span class="p">,</span> <span class="s">"route"</span><span class="p">,</span> <span class="s">"add"</span><span class="p">,</span> <span class="s">"default"</span><span class="p">,</span> <span class="s">"via"</span><span class="p">,</span> <span class="s">"10.0.0.1"</span><span class="p">)</span><span class="o">.</span><span class="n">Run</span><span class="p">()</span> </code></pre> </div> <p>The container's DNS is <code>8.8.8.8</code> (written by <code>setupDNS</code> into <code>/etc/resolv.conf</code> inside the new rootfs).</p> <h2> Step 9: Container Lifecycle Commands </h2> <h3> <code>ps</code> — list containers </h3> <p>Reads every <code>*.json</code> file from <code>/tmp/gocount/</code> and prints a table:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>CONTAINER ID PID STATUS COMMAND a1b2c3d4 12345 running [/bin/sh] </code></pre> </div> <h3> <code>stop</code> — send SIGKILL </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">syscall</span><span class="o">.</span><span class="n">Kill</span><span class="p">(</span><span class="n">c</span><span class="o">.</span><span class="n">Pid</span><span class="p">,</span> <span class="n">syscall</span><span class="o">.</span><span class="n">SIGKILL</span><span class="p">)</span> <span class="n">c</span><span class="o">.</span><span class="n">Status</span> <span class="o">=</span> <span class="s">"stopped"</span> <span class="n">container</span><span class="o">.</span><span class="n">SaveContainer</span><span class="p">(</span><span class="n">c</span><span class="p">)</span> </code></pre> </div> <h3> <code>rm</code> — stop and remove metadata </h3> <p>Kills the process (if still running), removes the JSON file, and deletes it from the in-memory map.</p> <h3> <code>inspect</code> — detailed view </h3> <p>Shows PID, status, cgroup resource limits, memory usage, CPU time, and every namespace link:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Container Information: ID: ar9vb2mm Status: running PID: 57699 Command: [/bin/sh] RootFS: /tmp/gocount/ar9vb2mm/rootfs Cgroup: /sys/fs/cgroup/gocount/ar9vb2mm Process Status: Running: Yes State: S (sleeping) Resource Limits: Memory Limit: unlimited Memory Usage: 319488 bytes (312.00 KB) Memory Peak: 2838528 bytes (2.71 MB) CPU Quota: max/100000 (0.0%) CPU Time: 36.04ms Memory Events: Processes in Cgroup: 1 PID: 57699 Namespaces: cgroup: cgroup:[4026531835] ipc: ipc:[4026531839] mnt: mnt:[4026533179] net: net:[4026533458] pid: pid:[4026533456] pid_for_children: pid:[4026533456] time: time:[4026531834] time_for_children: time:[4026531834] user: user:[4026531837] uts: uts:[4026533455] </code></pre> </div> <p><code>isProcessRunning</code> sends <code>syscall.Signal(0)</code>, a no-op signal that returns an error only if the process doesn't exist:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">isProcessRunning</span><span class="p">(</span><span class="n">pid</span> <span class="kt">int</span><span class="p">)</span> <span class="kt">bool</span> <span class="p">{</span> <span class="n">process</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">FindProcess</span><span class="p">(</span><span class="n">pid</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">false</span> <span class="p">}</span> <span class="k">return</span> <span class="n">process</span><span class="o">.</span><span class="n">Signal</span><span class="p">(</span><span class="n">syscall</span><span class="o">.</span><span class="n">Signal</span><span class="p">(</span><span class="m">0</span><span class="p">))</span> <span class="o">==</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <h2> Step 10: Build and Run </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Build</span> make build <span class="c"># Binary lands at bin/gocount</span> <span class="c"># Run an interactive Alpine shell</span> <span class="nb">sudo</span> ./bin/gocount run /bin/sh <span class="c"># Run with resource limits</span> <span class="nb">sudo</span> ./bin/gocount run <span class="nt">--memory</span> 100M <span class="nt">--cpu</span> <span class="s2">"50000 100000"</span> /bin/sh <span class="c"># In another terminal — list containers</span> <span class="nb">sudo</span> ./bin/gocount ps <span class="c"># Inspect</span> <span class="nb">sudo</span> ./bin/gocount inspect &lt;<span class="nb">id</span><span class="o">&gt;</span> <span class="c"># Stop</span> <span class="nb">sudo</span> ./bin/gocount stop &lt;<span class="nb">id</span><span class="o">&gt;</span> <span class="c"># Remove</span> <span class="nb">sudo</span> ./bin/gocount <span class="nb">rm</span> &lt;<span class="nb">id</span><span class="o">&gt;</span> </code></pre> </div> <h3> Testing the memory limit </h3> <p><code>test.py</code> allocates 1 MB per iteration. With a 50 MB limit you can watch it get OOM-killed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>make test-memory <span class="c"># Copies test.py into the rootfs, then runs:</span> <span class="c"># sudo gocount run --memory 50M /usr/bin/python3 /test.py</span> </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Starting memory consumption... Allocated: 1 MB Allocated: 2 MB ... Allocated: 48 MB Allocated: 49 MB Killed </code></pre> </div> <p>The kernel's OOM killer fires the moment the cgroup's <code>memory.max</code> threshold is crossed and terminates the entire cgroup.</p> <h2> How It All Fits Together: End-to-End Walk-through </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo</span> ./bin/gocount run <span class="nt">--memory</span> 50M /bin/sh 1. GenerateID<span class="o">()</span> → <span class="s2">"a1b2c3d4"</span> 2. EnsureRootfs<span class="o">(</span>...<span class="o">)</span> → download Alpine <span class="k">if </span>missing 3. cgroups.Create<span class="o">(</span><span class="s2">"a1b2c3d4"</span><span class="o">)</span> → <span class="nb">mkdir</span> /sys/fs/cgroup/gocount/a1b2c3d4 4. SetMemoryLimit<span class="o">(</span>..., <span class="s2">"50M"</span><span class="o">)</span> → write 52428800 to memory.max 5. exec.Command<span class="o">(</span><span class="s2">"/proc/self/exe"</span>, <span class="s2">"run"</span>, <span class="s2">"/bin/sh"</span><span class="o">)</span> + <span class="nv">GOCOUNT_CHILD</span><span class="o">=</span>1 + CLONE_NEWUTS | CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWNET 6. command.Start<span class="o">()</span> → child PID <span class="o">=</span> 12345 7. SetupVethPair<span class="o">(</span><span class="s2">"a1b2c3d4"</span>, 12345<span class="o">)</span> → ip <span class="nb">link </span>add veth-a1b2c3d4 <span class="nb">type </span>veth peer name vethc-a1b2c3 → ip <span class="nb">link set </span>vethc-a1b2c3 netns 12345 → nsenter <span class="nt">-t</span> 12345 <span class="nt">-n</span> ip <span class="nb">link set </span>vethc-a1b2c3 name eth0 → ip addr add 10.0.0.1/24 dev veth-a1b2c3d4 → iptables <span class="nt">-t</span> nat <span class="nt">-A</span> POSTROUTING <span class="nt">-s</span> 10.0.0.0/24 <span class="nt">-j</span> MASQUERADE 8. SaveContainer<span class="o">(</span>...<span class="o">)</span> → /tmp/gocount/a1b2c3d4.json <span class="nt">---</span> inside child <span class="o">(</span><span class="nv">GOCOUNT_CHILD</span><span class="o">=</span>1<span class="o">)</span> <span class="nt">---</span> 9. AddProc<span class="o">(</span>cgPath, getpid<span class="o">())</span> → write PID to cgroup.procs 10. SetupMount<span class="o">(</span>rootfsPath<span class="o">)</span> → pivot_root + mount /proc /sys /dev 11. Sethostname<span class="o">(</span><span class="s2">"gocount"</span><span class="o">)</span> 12. poll <span class="k">until </span>eth0 appears → up to 5 s 13. SetupNetworkInsideContainer<span class="o">()</span> → ip <span class="nb">link set </span>lo up → ip <span class="nb">link set </span>eth0 up → ip addr add 10.0.0.2/24 dev eth0 → ip route add default via 10.0.0.1 14. syscall.Exec<span class="o">(</span><span class="s2">"/bin/sh"</span>, ...<span class="o">)</span> → you are now <span class="k">in </span>the container </code></pre> </div> <h2> Key Bugs Fixed Along the Way </h2> <p>Building a container runtime means touching the kernel directly. A few subtle bugs appeared during development:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Bug</th> <th>Impact</th> <th>Fix</th> </tr> </thead> <tbody> <tr> <td>Duplicate <code>init()</code> in <code>inspect.go</code> </td> <td>Compile error</td> <td>Remove the second registration</td> </tr> <tr> <td><code>process.Signal(os.Signal(nil))</code></td> <td>Panic: nil interface type assertion</td> <td>Use <code>syscall.Signal(0)</code> </td> </tr> <tr> <td> <code>removeCmd</code> missing nil check</td> <td>Panic when container not found</td> <td>Guard <code>c == nil</code> before access</td> </tr> <tr> <td> <code>AddContainer</code> called after <code>Containers[id] = c</code> </td> <td>Overwrites <code>Cgroup</code> field with zero value</td> <td>Remove the redundant <code>AddContainer</code> call</td> </tr> <tr> <td>Zip-slip in <code>extractTar</code> </td> <td>Malicious tar writes outside rootfs</td> <td> <code>strings.HasPrefix</code> boundary check</td> </tr> <tr> <td> <code>startCmd</code> missing <code>CLONE_NEWNET</code> </td> <td>Container shares host network stack</td> <td>Add <code>CLONE_NEWNET</code> to clone flags</td> </tr> <tr> <td> <code>json.Unmarshal</code> errors ignored</td> <td>Corrupted JSON inserts zero-value container</td> <td>Explicit error check + <code>continue</code> </td> </tr> <tr> <td><code>rand.Seed(time.Now().UnixNano())</code></td> <td>Deprecated in Go 1.20+</td> <td>Removed: global source is auto-seeded</td> </tr> </tbody> </table></div> <h2> What's Missing (and How to Add It) </h2> <p>gocount is deliberately minimal. Here's what a production runtime adds on top:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>What to do</th> </tr> </thead> <tbody> <tr> <td> <strong>User namespace</strong> (<code>CLONE_NEWUSER</code>)</td> <td>Map container root to an unprivileged host UID — no more <code>sudo</code> </td> </tr> <tr> <td> <strong>IPC namespace</strong> (<code>CLONE_NEWIPC</code>)</td> <td>Isolate System V semaphores and POSIX message queues</td> </tr> <tr> <td><strong>Rootfs layers / overlay</strong></td> <td>Use <code>overlayfs</code> so containers share a read-only base and get a private writable layer</td> </tr> <tr> <td><strong>Container images</strong></td> <td>Pull from an OCI registry (skopeo / go-containerregistry)</td> </tr> <tr> <td><strong>seccomp filter</strong></td> <td>Block dangerous syscalls (<code>ptrace</code>, <code>mount</code>, <code>reboot</code>) using <code>libseccomp</code> </td> </tr> <tr> <td><strong>Capabilities drop</strong></td> <td>Use <code>AmbientCaps</code> + <code>CapDrop</code> in <code>SysProcAttr</code> to drop <code>CAP_NET_ADMIN</code> after setup</td> </tr> <tr> <td><strong>Port forwarding</strong></td> <td>Add iptables <code>DNAT</code> rules: host port to container IP:port</td> </tr> <tr> <td><strong>Persistent storage</strong></td> <td>Bind-mount host directories into the container before <code>pivot_root</code> </td> </tr> <tr> <td><strong>Multi-container networking</strong></td> <td>Replace individual veth pairs with a Linux bridge (like Docker's <code>docker0</code>)</td> </tr> </tbody> </table></div> <h2> Full Source </h2> <p>The complete source for gocount is structured exactly as shown above. The key files:</p> <ul> <li> <a href="//cmd/run.go"><strong><code>cmd/run.go</code></strong></a> — the parent/child split, namespace flags, cgroup wiring</li> <li> <a href="//internal/container/mount.go"><strong><code>internal/container/mount.go</code></strong></a> — <code>pivot_root</code> and essential mounts</li> <li> <a href="//internal/cgroups/cgroups.go"><strong><code>internal/cgroups/cgroups.go</code></strong></a> — cgroup v2 create, limit, add-proc</li> <li> <a href="//internal/network/network.go"><strong><code>internal/network/network.go</code></strong></a> — veth pair, IP forwarding, NAT</li> <li> <a href="//internal/rootfs/manager.go"><strong><code>internal/rootfs/manager.go</code></strong></a> — Alpine download and zip-slip-safe extraction</li> </ul> <p><em>gocount is ~600 lines of Go and it's a real container runtime. The kernel was doing all of this every time you typed <code>docker run</code>. Now you know exactly how.</em></p> containers docker go cli