Controlled Environments - what are they?

Owned by Selvyn Wright
Last updated: Jun 06, 2019
3 min read

An Anology

From a Linux workstation enter the following commands

ldd /bin/bash

ldd /bin/ls

You will see that there are some shared files such as libdl.so and libc.so

We can create a jailed environment to get a better understanding of what a container actually is.  

If we are going to deploy these two applications to their own containers, we must only supply a limited set of the resources that they need to run.  We don't need to deploy libtinfo.so for the ls command.

Look carefully at the output from ldd /bin/bash, you will see that the shared files are located in two directories

  • /lib/x86_64-linux-gnu
  • /lib64

In your home folder create a folder called jail

In the jail folder create the subfolders for bash dependencies shown above.  Now copy bash and its dependencies into the jail subfolders.  So you should have created the following

Navigate into the jail folder using this command chroot ./jail/ /bash.  Then execute the ls command - it will fail

The ls command fails because we created an environment only suitable for the bash command.  This is an example what containerisation provides.

info

This is not a perfect model because certain systems commands are still available that reveal more than we need to know in this jail.  E.g. set, and ipcs both work, giving us glimpses into the outer environment.

To prove that is a contained environment only suitable for bash, exit out of this jail by typing exit.

Copy the ls command into the jail folder using cp /bin/ls ./jail

Enter back into the jail using chroot ./jail/ /bash.  Execute ls as follows ./ls - again it will fail but this time you should receive an error indicating that a shared file is missing.

See what happens if you copy the tree command into the jail.  Before doing so, ldd /bin/tree to see if there are any other libraries that should added to the jail also.

Privileges

we should also be aware that processes may execute in kernel mode with elevated privileges.  An example of this might be where a process acts as a privileged user and then has access to to privileged ports (those below 1024), or the process has access to certain kernel facilities such as the ability to create device such as a block device (found in /dev), these can be created by simply knowing their major and minor device number and the device type (it would do this through the mknode command), meaning that the process could access the hardware of the system.  we must be able to disable this in  contained environment.

You would use the capabilities command to control such behaviour.

You could also cgroups to control hardware restrictions.

Docker images are isolated from each other using

  • Namespaces
  • CGroups
  • SELinux