| 1 |
Rich Freeman <rich0@g.o> writes: |
| 2 |
|
| 3 |
> If you have util-linux installed then try running (as any user - you |
| 4 |
> don't have to be root): unshare -i -m -n -p -u -C -f --mount-proc -U |
| 5 |
> -r /bin/bash |
| 6 |
> |
| 7 |
> Congrats. You are now root in a container. You're in the same root |
| 8 |
> filesystem as always. You'll note that you can't actually see |
| 9 |
> anything that you couldn't see before. If you run ps -ea you'll see |
| 10 |
> that you're the only process running on the system. Devices like |
| 11 |
> /dev/sda aren't actually accessible. A lot of container managers |
| 12 |
> would mount a new /dev and just hide most of that stuff. You can |
| 13 |
> probably imagine how something like this could be useful for isolating |
| 14 |
> processes. |
| 15 |
|
| 16 |
Just a side node, this seems to be the ultimate sandbox we (Gentoo and |
| 17 |
portage) are after. With this, we might even be able to have portage |
| 18 |
full functional: a build is completely determined and only determined by |
| 19 |
the dependencies and USE flags. |
Archives