Seven days to write a docker with go (the first day)

Time:2021-2-3

1. Detailed explanation of docker

Many people feel very magical when they first contact docker. They feel that this technology is very novel. In fact, it’s not the case. The technologies used by docker have existed before. It’s just that old wine has been replaced with new bottles. In short, the nature of docker is a problemSpecial processThis process is special when it is usedNamespaceandCgroupTechnology makes the decoration,NamespaceThe process is isolated from the Linux system, so that the process is in a virtual sandboxCgroupA series of resource constraints are made to the process, and a sandbox environment is simulated by combining the two.

2. Namespace

Linux provides six kinds of thread isolation mechanismsuts pid user mount network ipcTheir functions are as follows:

  • UTS: used to isolate the host name
  • PID: used to isolate the PID number of a process
  • User: used to isolate users
  • Mount: used to isolate the mount point view seen by each process
  • Network: used to isolate the network
  • IPC: used to isolate system V IPC and POSIX message queues

3. Environment configuration

Because we write code in windows, then compile the code and put it into Linux for execution, we need to change our GoLand environment, because in different environments, go imports different files. If our environment uses windows, then use goos/execPackage, the imported will beexec_windows.go, and if our environment is Linux, it will be importedexec_linux.goFile, because only Linux will provide this isolation parameter when creating a process, so we need to change the environment to Linux.

Seven days to write a docker with go (the first day)

4. Go implements process isolation

4.1 isolated UTS

package main

import (
    "log"
    "os"
    "os/exec"
    "syscall"
)
func main() {
    cmd := exec.Command("sh")
    cmd.SysProcAttr = &syscall.SysProcAttr{
        Cloneflags: syscall.CLONE_NEWUTS,
    }
    cmd.Stdin = os.Stdin
    cmd.Stdout = os.Stdout
    cmd.Stderr = os.Stderr

    if err := cmd.Run(); err != nil {
        log.Fatal(err)
    }
}

Let’s compile it and test it in Linux. We need to compile it in Windows firstGOOSChange toLinuxAnd then executego buildThe compilation script is as follows

SET CGO_ENABLED=0
SET GOOS=linux
SET GOARCH=amd64
go build main.go

Seven days to write a docker with go (the first day)
Seven days to write a docker with go (the first day)

takemainRun in Linux environment, here I useCentos

4.2 test whether the host name can be isolated

  1. Add executable permissions to the main file
    chmod +x main
  2. View current host name
    Seven days to write a docker with go (the first day)
  3. Execute the main file
    ./main

    Seven days to write a docker with go (the first day)

  4. Modify host name
    Host name - b new host name

    Seven days to write a docker with go (the first day)
    Looking at the host name again, we see that the host name has been changed totestIt’s over
    Seven days to write a docker with go (the first day)

  5. Exit the shell and check the host name again
    Seven days to write a docker with go (the first day)

    At this time, we found that the external host name has not been changed, indicating that the process successfully changed its ownhostnameWith externalhostnameIt’s isolated. It also proves that we useuts namespacesucceed.

4.2 other isolation

We want that kind of isolation of this process, just in theCloneflagsAdd parameters to the

package main

import (
    "log"
    "os"
    "os/exec"
    "syscall"
)

func main() {
    cmd := exec.Command("sh")
    cmd.SysProcAttr = &syscall.SysProcAttr{
        //Isolate UTS, IPC, PID, mount, user, network
        Cloneflags: syscall.CLONE_NEWUTS |
            syscall.CLONE_NEWIPC |
            syscall.CLONE_NEWPID |
            syscall.CLONE_NEWNS |
            syscall.CLONE_NEWUSER |
            syscall.CLONE_NEWNET,
        //Set the uid and GID of the container
        UidMappings: []syscall.SysProcIDMap{
            {
                //The uid of the container
                ContainerID: 1,
                //Uid of host
                HostID: 0,
                Size:   1,
            },
        },
        GidMappings: []syscall.SysProcIDMap{
            {
                //GID of container
                ContainerID: 1,
                //GID of host
                HostID: 0,
                Size:   1,
            },
        },
    }
    cmd.Stdin = os.Stdin
    cmd.Stdout = os.Stdout
    cmd.Stderr = os.Stderr

    if err := cmd.Run(); err != nil {
        log.Fatal(err)
    }
}

The article will start on my WeChat official account, scan code attention, and get the latest content in time.

Seven days to write a docker with go (the first day)

This work adoptsCC agreementReprint must indicate the author and the link of this article

Recommended Today

Document the third-party framework you use

BackgroundLibrary: generate shape from label implementation “androidx.appcompat:appcompat:$supportVersion” //for androidx implementation ‘com.noober.background:core:1.6.5’ MagicIndicator: indicator repositories { … maven { url “https://jitpack.io” } } implementation ‘com.github.hackware1993:MagicIndicator:1.7.0’ // for androidx AnyLayer: floating floor (pop up) allprojects { repositories { maven { url ‘https://www.jitpack.io’ } } } implementation ‘com.github.goweii:AnyLayer:3.6.0-androidx’ androidautosize: screen adaptation scheme `implementation ‘me.jessyan:autosize:1.2.1’` glide: image loading implementation […]