genuinetools/binctr
Fully static, unprivileged, self-contained, containers as executable binaries.
repo name | genuinetools/binctr |
repo link | https://github.com/genuinetools/binctr |
homepage | https://blog.jessfraz.com/post/getting-towards-real-sandbox-containers/ |
language | Go |
size (curr.) | 30891 kB |
stars (curr.) | 2357 |
created | 2016-04-15 |
license | MIT License |
binctr
Create fully static, including rootfs embedded, binaries that pop you directly into a container. Can be run by an unprivileged user.
Check out the blog post: blog.jessfraz.com/post/getting-towards-real-sandbox-containers.
This is based off a crazy idea from @crosbymichael who first embedded an image in a binary :D
HISTORY: This project used to use a POC fork of libcontainer until @cyphar got rootless containers into upstream! Woohoo! Check out the original thread on the mailing list.
Table of Contents
Checking out this repo
$ git clone git@github.com:genuinetools/binctr.git
Building
You will need libapparmor-dev
and libseccomp-dev
.
Most importantly you need userns in your kernel (CONFIG_USER_NS=y
)
or else this won’t even work.
# building the alpine example
$ make alpine
Static container created at: ./alpine
# building the busybox example
$ make busybox
Static container created at: ./busybox
# building the cl-k8s example
$ make cl-k8s
Static container created at: ./cl-k8s
Running
$ ./alpine
$ ./busybox
$ ./cl-k8s
Cool things
The binary spawned does NOT need to oversee the container process if you run in detached mode with a PID file. You can have it watched by the user mode systemd so that this binary is really just the launcher :)