#container #process #linux #namespaces #docker #file-descriptor

unshare_petbox

The low-level interface for linux namespaces (containers), for using with petbox

1 unstable release

0.7.1 Jul 11, 2023

#70 in #file-descriptor


Used in petbox

MPL-2.0 license

95KB
2K SLoC

Rust Unshare

This is a bundled version of unshare.


Unshare is a low-level library to create linux containers.

It contains the following:

  • Process creation interface similar to std::process::Command
  • Unsharing arbitrary linux namespaces
  • Ability to change root (chroot/pivot_root), uid, gid, gid_map
  • Some signal mask handling (especially for new processes)
  • Forwarding file descriptors and other unixy stuff (sessions, terminals)
  • Setting few important prctl flags (PR_SET_PDEATHSIG)
  • Runs both as root user and as unprivileged user

Not implemeneted yet:

  • Fine grained capabilities control (currently you may change user or use user namespaces)

The following is considered:

  • Capture input (should be, because part of std::process interface)
  • Pseudo tty creation for child
  • The unshare and setns

The following is out of scope:

  • mounting file systems
  • setting up network
  • in-container and out of container supervision
  • handing child signals

Dependencies

~1.5MB
~37K SLoC