The previous article was messy from a code point of view, so before going on to the other namespaces lets get something a little more useful. There is nothing new about containers, so you can skip this, but future episodes of this series will be based on this code.

Before we used the unshare call, this detaches the current namespace from its existing namespace and attaches it to a new one. However for the rest of the series we are going to use the clone call. This creates a new process and places it in the new namespace(s) all at once. The parent process is then able to setup the user and group mappings and communicate to the child process when this has been completed. As we found out previously it's necessary to wait until the user/group mappings to be set up before executing a new process in …

This series of articles will explore creating unprivileged containers on Linux using python and shell commands for ease of experimenting.

A container is something you construct using various system facilities such as Linux namespaces to isolate a process or a group of processes from the rest of the system. This isolation can be partial or almost complete giving the illusion of a separate machine.

A fairly recent distribution will be required to do everything that will be demonstrated here. This series of articles was prepared on a Fedora 24 distribution which has a 4.7 kernel at the time of writing.

The user namespace

A user namespace isolates user and group IDs, the root directory and other security related capabilities. There is a top level user namespace, and new child namespaces can be created. The user IDs and privileges can be different inside and outside the new namespace. In particular …