2016-04-15 08:54:02 +00:00
# binctr
2018-03-20 02:31:34 +00:00
[](https://travis-ci.org/genuinetools/binctr)
2018-03-20 02:54:29 +00:00
[](https://goreportcard.com/report/github.com/genuinetools/binctr)
[](https://godoc.org/github.com/genuinetools/binctr)
2018-03-20 02:31:34 +00:00
2016-04-15 08:54:02 +00:00
Create fully static, including rootfs embedded, binaries that pop you directly
2016-04-16 05:09:15 +00:00
into a container. **Can be run by an unprivileged user.**
2016-05-02 15:04:53 +00:00
Check out the blog post: [blog.jessfraz.com/post/getting-towards-real-sandbox-containers ](https://blog.jessfraz.com/post/getting-towards-real-sandbox-containers/ ).
2016-04-16 23:06:20 +00:00
This is based off a crazy idea from [@crosbymichael ](https://github.com/crosbymichael )
who first embedded an image in a binary :D
2016-04-16 05:09:15 +00:00
2018-03-20 02:31:34 +00:00
**HISTORY**
2016-04-17 23:28:55 +00:00
2018-03-20 02:31:34 +00:00
This project used to use a POC fork of libcontainer until [@cyphar ](https://github.com/cyphar )
got rootless containers into upstream! Woohoo!
Check out the original thread on the
[mailing list ](https://groups.google.com/a/opencontainers.org/forum/#!topic/dev/yutVaSLcqWI ).
2016-04-16 23:06:20 +00:00
**Nginx running with my user "jessie".**
2016-04-15 08:54:02 +00:00
### Building
2018-03-20 02:31:34 +00:00
You will need `libapparmor-dev` and `libseccomp-dev` .
2016-04-16 23:05:09 +00:00
Most importantly you need userns in your kernel (`CONFIG_USER_NS=y`)
or else this won't even work.
2016-04-15 08:54:02 +00:00
```console
2018-03-20 02:31:34 +00:00
$ make build
2016-04-15 08:54:02 +00:00
Static container created at: ./bin/alpine
Run with ./bin/alpine
# building a different base image
2018-03-20 02:31:34 +00:00
$ make build IMAGE=busybox
2016-04-15 08:54:02 +00:00
Static container created at: ./bin/busybox
Run with ./bin/busybox
```
### Running
```console
$ ./alpine
$ ./busybox --read-only
```
### Usage
```console
_ _ _
| |__ (_)_ __ ___| |_ _ __
| '_ \| | '_ \ / __ | __ | '__|
| |_) | | | | | (__| |_| |
|_.__/|_|_| |_|\___|\__|_|
Fully static, self-contained container including the rootfs
that can be run by an unprivileged user.
2018-03-20 02:31:34 +00:00
Embedded Image: alpine - sha256:3fd9065eaf02feaf94d68376da52541925650b81698c53c6824d92ff63f98353
2016-04-15 08:54:02 +00:00
Version: 0.1.0
2018-03-20 02:31:34 +00:00
Build: 91b3ab5-dirty
2016-04-15 08:54:02 +00:00
2018-03-20 02:31:34 +00:00
-D run in debug mode
-console-socket string
path to an AF_UNIX socket which will receive a file descriptor referencing the master end of the console's pseudoterminal
-d detach from the container's process
2016-04-15 08:54:02 +00:00
-hook value
2018-03-20 02:31:34 +00:00
Hooks to prefill into spec file. (ex. --hook prestart:netns)
2016-04-15 08:54:02 +00:00
-id string
2018-03-20 02:31:34 +00:00
container ID
2016-04-15 08:54:02 +00:00
-pid-file string
2018-03-20 02:31:34 +00:00
specify the file to write the process id to
2016-04-15 08:54:02 +00:00
-read-only
2018-03-20 02:31:34 +00:00
make container filesystem readonly
2016-04-15 08:54:02 +00:00
-root string
2018-03-20 02:31:34 +00:00
root directory of container state, should be tmpfs (default "/tmp/binctr")
-t allocate a tty for the container (default true)
-v print version and exit (shorthand)
2016-04-15 08:54:02 +00:00
-version
2018-03-20 02:31:34 +00:00
print version and exit
2016-04-15 08:54:02 +00:00
```
2016-04-16 05:09:15 +00:00
## Cool things
The binary spawned does NOT need to oversee the container process if you
2016-04-16 23:05:09 +00:00
run in detached mode with a PID file. You can have it watched by the user mode
2016-04-16 05:09:15 +00:00
systemd so that this binary is really just the launcher :)
