search

p8952 / bocker

Docker implemented in around 100 lines of bash
https://www.p8952.info/
GNU General Public License v3.0
11.26k stars 715 forks source link

Host isolation tested? #29

Open pwFoo opened 5 years ago

pwFoo commented 5 years ago

@p8952 @frohoff @tst2005 At the moment I have no host to test it...

Is it possible to manipulate the host from inside of a bocker container or is there isolation (by cgroup?! haven't used it before...)

Simple unshare with chroot and proc mounted isn't isolated.

cgcreate -g "$cgroups:/$uuid"
    : "${BOCKER_CPU_SHARE:=512}" && cgset -r cpu.shares="$BOCKER_CPU_SHARE" "$uuid"
    : "${BOCKER_MEM_LIMIT:=512}" && cgset -r memory.limit_in_bytes="$((BOCKER_MEM_LIMIT * 1000000))" "$uuid"
    cgexec -g "$cgroups:$uuid" \
        ip netns exec netns_"$uuid" \
        unshare -fmuip --mount-proc \
        chroot "$btrfs_path/$uuid" \
        /bin/sh -c "/bin/mount -t proc proc /proc && $cmd" \
        2>&1 | tee "$btrfs_path/$uuid/$uuid.log" || true
    ip link del dev veth0_"$uuid"
    ip netns del netns_"$uuid"

If not that executed inside of a Container will reboot the host.

echo 1 > /proc/sys/kernel/sysrq
echo b > /proc/sysrq-trigger
notpushkin commented 4 years ago

by cgroup?! haven't used it before...

cgroups are what LXC uses (and if I understand correctly, Docker too, in default configuration) to provide isolation, so it's the matter of how exactly Bocker uses them I guess.