GitHub - genuinetools/binctr: Fully static, unprivileged, self-contained, contai...
source link: https://github.com/genuinetools/binctr
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
README.md
binctr
Create fully static, including rootfs embedded, binaries that pop you directly into a container. Can be run by an unprivileged user.
Check out the blog post: blog.jessfraz.com/post/getting-towards-real-sandbox-containers.
This is based off a crazy idea from @crosbymichael who first embedded an image in a binary :D
HISTORY: This project used to use a POC fork of libcontainer until @cyphar got rootless containers into upstream! Woohoo! Check out the original thread on the mailing list.
Table of Contents
Checking out this repo
$ git clone [email protected]:genuinetools/binctr.git
Building
You will need libapparmor-dev
and libseccomp-dev
.
Most importantly you need userns in your kernel (CONFIG_USER_NS=y
)
or else this won't even work.
# building the alpine example $ make alpine Static container created at: ./alpine # building the busybox example $ make busybox Static container created at: ./busybox # building the cl-k8s example $ make cl-k8s Static container created at: ./cl-k8s
Running
$ ./alpine $ ./busybox $ ./cl-k8s
Cool things
The binary spawned does NOT need to oversee the container process if you run in detached mode with a PID file. You can have it watched by the user mode systemd so that this binary is really just the launcher :)
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK