Building Containers from Scratch in Go (github source code)
netns - network namespaces in go (git hub source code)
how to build a container from scratch
- Linux containers in 500 lines of code by Lizzie Dixon
- Building Containers from Scratch with Go by Liz Rice
-
Building Containers from Scratch in Go by mugli
- Part 1: Linux Namespaces https://medium.com/@teddyking/linux-namespaces-850489d3ccf
- Part 2: Namespaces in Go - Basics https://medium.com/@teddyking/namespaces-in-go-basics-e3f0fc1ff69a
- Part 3: Namespaces in Go - User https://medium.com/@teddyking/namespaces-in-go-user-a54ef9476f2a
- Part 4: Namespaces in Go - reexec https://medium.com/@teddyking/namespaces-in-go-reexec-3d1295b91af8
- Part 5: Namespaces in Go - Mount https://medium.com/@teddyking/namespaces-in-go-mount-e4c04fe9fb29
- Part 6: Namespaces in Go - Network https://medium.com/@teddyking/namespaces-in-go-network-fdcf63e76100
- Part 7: Namespaces in Go - UTS https://medium.com/@teddyking/namespaces-in-go-uts-d47aebcdf00e
- Build Your Own Container Using Less than 100 Lines of Go by Julian Friedman
- Creating Your Own Containers
- Building Containers in Pure Bash and C
- HN: https://news.ycombinator.com/item?id=16734440
原文已不能打开,采用了Google cache
https://medium.com/@teddyking/linux-namespaces-850489d3ccf
Linux Namespaces
Ed King
Dec 10, 2016·3 min read
Linux namespaces comprise some of the fundamental technologies behind most modern-day container implementations. At a high level, they allow for isolation of global system resources between independent processes. For example, the PID namespace isolates the process ID number space. This means that two processes running on the same host can have the same PID!
This level of isolation is clearly useful in the world of containers. Without namespaces, a process running in container A could, for example, umount an important filesystem in container B, or change the hostname of container C, or remove a network interface from container D. By namespacing these resources, the process in container A isn’t even aware that the processes in containers B, C and D exist.
It follows that you can’t interfere with something if it’s not visible to you. And that’s really what namespaces provide - a way to limit what a process can see, to make it appear as though it’s the only process running on a host.
Note that namespaces do not restrict access to physical resources such as CPU, memory and disk. That access is metered and restricted by a kernel feature called ‘cgroups’.