Day 1 Task: Build a Basic Isolated Shell

27. April 2025 | runc Lab

Day 1 Task: Build a Basic Isolated Shell

Goal:
Start a real shell process isolated into its own namespaces,
limited by a cgroup that restricts CPU usage.

Step 1 — Create a new isolated shell

On your lab machine:

bash
sudo unshare --fork --pid --uts --mount --ipc --net --mount-proc bash

You are now inside an isolated shell! 🎯

Check isolation:

  • Set a different hostname:

    bash
    hostname mycontainer

  • Check ps aux → only processes inside your namespace.

  • ip a → your network is empty (no IP assigned).

Step 2 — Create a CPU-limiting cgroup

Still inside your host shell (outside the unshared one):

bash
sudo mkdir /sys/fs/cgroup/cpu/mytestcgroup
echo 50000 | sudo tee /sys/fs/cgroup/cpu/mytestcgroup/cpu.cfs_quota_us
echo $$ | sudo tee /sys/fs/cgroup/cpu/mytestcgroup/cgroup.procs

What this does:

  • Creates a cgroup called mytestcgroup.

  • Limits CPU usage to 5% of 1 core (50000 microseconds quota per 100000 microseconds period).

  • Moves your shell process into that CPU-restricted cgroup.

Step 3 — Stress test CPU usage

Inside the isolated shell, launch a CPU burner:

bash
yes > /dev/null

Open another terminal, run:

bash
htop

Look at CPU usage —
it should stay very low, even though you are maxing out the process.

If you see that CPU is limited → you nailed basic container tech manually.

Extra (optional)

  • Try creating a network namespace with a private IP.

  • Mount a minimal filesystem.

  • Launch a small daemon (like nginx or sshd) inside.

But don’t overcomplicate Day 1 — focus on feeling the isolation and the resource limits.

Summary after this exercise:

  • You created real Linux isolation (namespaces + cgroups).

  • Without Docker, without Kubernetes, just Linux and your own commands.

  • 100% real-world knowledge, production-level foundation.