Okay, here’s my blog post about my “lightweight pots” experiment, written in a casual, personal style, and using simple HTML tags:
So, I’ve been messing around with this idea of making super lightweight containers, kinda like Docker but way, way simpler. I call them “pots” just because it sounded funny.
It all started because I was tired of how much overhead even a basic virtual machine has. I mean, sometimes you just want to run a little program in isolation, you know? You don’t need a whole separate operating system for that!
The First Baby Steps
First, I poked around with chroot. That’s a pretty old-school way to change the apparent root directory for a process. I did:
- I created a new directory:
mkdir my_little_pot. - I copied some basic stuff into it:
cp -r /bin /lib /lib64 /usr my_little_pot/. Just the bare minimum to run a shell. - Then, I chrooted into it:
sudo chroot my_little_pot /bin/bash.
Boom! I was in a new “root” environment. It felt kinda isolated, but it was still using the same kernel as my main system. Not really a separate container, but a start.
Getting Crafty with Namespaces
Then I discovered this thing called “namespaces.” Apparently, Linux has had these for a while, and they’re the magic behind Docker and stuff. It means that one computer have many “computer”, which is very funny.
I played with the unshare command. It’s like chroot’s cooler, younger brother. I tried this:
sudo unshare --mount --uts --ipc --net --pid --fork /bin/bash
Okay, what does all that mean? Well:
--mount: Gives my pot its own mount points. Like, its own /proc and stuff.--uts: A separate hostname. Purely cosmetic, but fun.--ipc: Isolated inter-process communication. So my pot’s processes can’t mess with processes outside.--net:It’s own network.--pid:The most important, my pot get its PID 1.--fork:Starts a forked bash.
Now, this felt more like a real container! I could run a program in there, and it wouldn’t even see the processes on my main system. It had its own little world.
Fiddling with cgroups (Control Groups)
The last piece of the puzzle was cgroups. These let you limit how much CPU, memory, etc., a group of processes can use.
I didn’t go too deep into this, but I did manage to create a cgroup and limit the CPU usage of my pot:
- I installed
cgroup-tools(because my system didn’t have them by default, what a pain!). - Made directory in /sys/fs/cgroup/cpu:
sudo mkdir /sys/fs/cgroup/cpu/my_pot_group - I set a CPU limit (I just picked a random small number):
sudo sh -c "echo 10000 > /sys/fs/cgroup/cpu/my_pot_group/*_quota_us" - I figured out the PID of a process running inside my pot.
- And I moved that PID into the cgroup:
sudo sh -c "echo [PID] > /sys/fs/cgroup/cpu/my_pot_group/tasks"
Now, my little pot couldn’t hog all my CPU, even if it tried. Neat!
Putting It All Together
I ended up with a little script that combines all these steps. It’s not fancy, and it’s definitely not as robust as Docker, but it’s mine. It lets me spin up a basic, isolated environment in seconds, and it’s perfect for testing little things without messing up my main system.
I might add some more features later, like networking isolation (that --net flag with unshare is a bit tricky). But for now, I’m pretty happy with my lightweight pots. They’re simple, they’re fast, and they do exactly what I need.
It’s not perfect at all, for more serious stuff, Docker is of course better. But for a quick and dirty solution that doesn’t have a big footprint? This works a charm. I like simple tools, and this one is definitely that.
