A comprehensive guide to building Docker-like containers from scratch using only Linux tools like unshare, mount, and pivot_root. Explores how mount namespaces form the foundation of container isolation, while PID, cgroup, UTS, and network namespaces provide complementary functionality. Demonstrates step-by-step container creation including filesystem preparation, namespace isolation, pseudo filesystem setup (/proc, /dev, /sys), and security hardening. Also covers advanced topics like mount propagation, bind mounts, volumes, and explains why union filesystems aren't mandatory for containers.
Table of contents
PrerequisitesVisualizing the end resultWhat exactly does Mount Namespace isolate?What the heck is Mount Propagation?A naive attempt to isolate container filesystemPreparing a complete container filesystemCreating a container from scratch (end-to-end example)Bonus: Sharing host files and folders with containersBonus: Adding support for data volumesWhere do union filesystems come into play?SummarizingResourcesPracticeSort: