What's in the box?

Docker run

Let’s say we have some basic Dockerfile describing an image running Ubuntu 20.04.

FROM ubuntu:20.04

We can build the image and give it a name.

docker build -t my_image .

Finally we can execute commands in a container based on our image.

docker run my_image echo "hello, world!"

Which prints “hello, world!” to the screen. Nice 🙂

Inside the container

But what does it mean to “run in a container”? Let’s open a shell inside of one and have a look.
Note that the docker run command simply spawns a new process on my MacBook.

❯ ps
    6486 ttys001    0:00.05 docker run -it docker_image /bin/sh

But if we attach to a shell running inside the container process, we get a very different view of the world.

❯ docker run -it docker_image /bin/sh
# ls
bin   dev  home  media	opt   root  sbin  sys  usr
boot  etc  lib	 mnt	proc  run   srv   tmp  var
# ps
  PID TTY          TIME CMD
    1 pts/0    00:00:00 sh
    8 pts/0    00:00:00 ps
# hostname
# whoami
# exit

We have our own hostname, process list, filesystem, etc. In other words the sub-process is isolated from the host system that created it.
This idea of isolated, lightweight processes running on one or many host machines is what allowed us to move into the cloud. I rely on containers eery time I ship my code to production.
It’s time to understand what allows containers to exist and be isolated from the host system.


Let’s try to re-create the behavior of docker containers ourselves! This C program uses clone to spawn a new sub-process. Clone is similar to fork, meaning it also creates a new process. But unlike clone it gives us more control over which resources we want to share with the child process.

#define _GNU_SOURCE 
#include <sched.h>

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>

#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>

int container(void *args)
    printf("PID seen from container: %d\n", getpid());


int main()
    pid_t p = clone(container, malloc(4096) + 4096, SIGCHLD, NULL);
    if (p == -1) {
    printf("PID seen from host system: %d\n", p);
    waitpid(p, NULL, 0);
    return 0;

We simply clone the current process and in the newly spawned sub-process we execute /bin/bash. Additionally, we write the PID of the main process as well as the sub-process. We can compile the program using gcc lonely_container.c and run it:

❯ ./lonely_container
PID seen from host system: 11775
PID seen from container: 11775
$ echo Hello, world!
Hello, world!
$ exit

PID independence

Note how both processes still share the same id:

PID seen from host system: 11775
PID seen from container: 11775

Let’s change that. When we have a look at the manpage for clone we see that the signature is

int clone(int (*fn)(void *), void *stack, int flags, void *arg, ...);

and there is one flag, called CLONE_NEWPID which states

If CLONE_NEWPID is set, then create the process in a new PID namespace.

So, let’s call clone like this:

int flags = CLONE_NEWPID;
pid_t p = clone(container, malloc(4096) + 4096, SIGCHLD|flags, NULL);

And we get:

PID seen from host system: 13342
PID seen from container: 1

Nice, we’re in our own namespace of processes. From the containers perspective, there’s only one process: itself and it has PID 1. But when we run ps to look at other processes we see many more processes.

    PID TTY          TIME CMD
   1038 tty2     00:03:22 Xorg
   1046 tty2     00:00:00 gnome-session-b
   2600 pts/0    00:00:00 zsh
   2610 pts/0    00:00:00 zsh
   2611 pts/0    00:00:00 zsh
   2613 pts/0    00:00:00 gitstatusd
   2972 pts/1    00:00:00 zsh
   3007 pts/1    00:00:00 zsh
   3008 pts/1    00:00:00 zsh
   3010 pts/1    00:00:00 gitstatusd
   7060 pts/2    00:00:00 zsh
   7068 pts/2    00:00:00 zsh
   7069 pts/2    00:00:00 zsh
   7071 pts/2    00:00:00 gitstatusd
  13114 pts/0    00:00:00 man
  13122 pts/0    00:00:00 less
  13617 pts/1    00:00:01 node
  13636 pts/1    00:00:00 npm exec hugo s
  13647 pts/1    00:00:00 hugo
  14022 pts/2    00:00:00 sudo
  14023 pts/2    00:00:00 lonely_containe

File system independence

The problem withg ps above is because ps reads the process list from /proc. Since our sub-process still shares the file system with the host process, we can see all the host-system processes inside the container.
Let’s change that. First, we create a directory container_root next to lonely_container.c. This will ben the root to the filesystem of our container /. We now add a new flag CLONE_NEWNS

    pid_t p = clone(container, malloc(4096) + 4096, SIGCHLD|flags, NULL);

which states

If CLONE_NEWNS is set, the cloned child is started in a new mount namespace

We change the container function to chroot into the new container_root before executing the shell and mount /proc in our new root filesystem

int container(void *args)
    printf("PID seen from container: %d\n", getpid());
    mount("proc", "/proc", "proc", 0, 0);
    return 0;

When we compile and run it, we can see that we have our own filesystem and no longer see the host system processes:

❯ ./lonely_container
PID seen from host system: 11775
PID seen from container: 1
$ ps -a
    PID TTY          TIME CMD
      1 pts/2    00:00:00 bash
      7 pts/2    00:00:00 ps
$ exit

Further independence

To try this yourself I suggest looking into the manpage for clone and checking out what other flags you can add and what other reources you might isolate. One example could be the hostname via CLONE_UTS.
The next step could be to isolate CPU and memory for the sub-process, and limiting it to a certain degree. To achieve this, we will have to look into a linux feature called control groups aka cgroups. Maybe in the next post!

so long

comments powered by Disqus