1 |
Rich Freeman <rich0@g.o> writes: |
2 |
|
3 |
> If you have util-linux installed then try running (as any user - you |
4 |
> don't have to be root): unshare -i -m -n -p -u -C -f --mount-proc -U |
5 |
> -r /bin/bash |
6 |
> |
7 |
> Congrats. You are now root in a container. You're in the same root |
8 |
> filesystem as always. You'll note that you can't actually see |
9 |
> anything that you couldn't see before. If you run ps -ea you'll see |
10 |
> that you're the only process running on the system. Devices like |
11 |
> /dev/sda aren't actually accessible. A lot of container managers |
12 |
> would mount a new /dev and just hide most of that stuff. You can |
13 |
> probably imagine how something like this could be useful for isolating |
14 |
> processes. |
15 |
|
16 |
Just a side node, this seems to be the ultimate sandbox we (Gentoo and |
17 |
portage) are after. With this, we might even be able to have portage |
18 |
full functional: a build is completely determined and only determined by |
19 |
the dependencies and USE flags. |