mirrors/binctr
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

cleanup

Browse source 
Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
This commit is contained in:
Jess Frazelle 2018-03-19 22:31:34 -04:00
parent 0186c7808b
commit d3fbdd212e
3 changed files with 34 additions and 72 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.travis.yml
View file

@ -1,6 +1,8 @@
--- ---
language: go language: go
sudo: false sudo: required
services:
- docker
notifications: notifications:
email: true email: true
go: go:

13
Makefile
View file

@ -12,6 +12,7 @@ BUILDTAGS := seccomp apparmor
BUILDDIR := ${PREFIX}/cross BUILDDIR := ${PREFIX}/cross
IMAGE := alpine IMAGE := alpine
IMAGE_DATA_FILE := image/data.go
# Populate version variables # Populate version variables
# Add to compile time flags # Add to compile time flags
@ -22,8 +23,8 @@ ifneq ($(GITUNTRACKEDCHANGES),)
GITCOMMIT := $(GITCOMMIT)-dirty GITCOMMIT := $(GITCOMMIT)-dirty
endif endif
CTIMEVAR=-X $(PKG)/version.GITCOMMIT=$(GITCOMMIT) -X $(PKG)/version.VERSION=$(VERSION) \ CTIMEVAR=-X $(PKG)/version.GITCOMMIT=$(GITCOMMIT) -X $(PKG)/version.VERSION=$(VERSION) \
-X main.IMAGE=$(notdir $(IMAGE)) \ -X $(PKG)/image.NAME=$(notdir $(IMAGE)) \
-X main.IMAGESHA=$(shell docker inspect --format "{{.Id}}" $(IMAGE)) -X $(PKG)/image.SHA=$(shell docker inspect --format "{{.Id}}" $(IMAGE))
GO_LDFLAGS=-ldflags "-w $(CTIMEVAR)" GO_LDFLAGS=-ldflags "-w $(CTIMEVAR)"
GO_LDFLAGS_STATIC=-ldflags "-w $(CTIMEVAR) -extldflags -static" GO_LDFLAGS_STATIC=-ldflags "-w $(CTIMEVAR) -extldflags -static"
@ -35,7 +36,7 @@ build: $(BUILDDIR)/$(notdir $(IMAGE)) ## Builds a static executable or package
$(BUILDDIR): $(BUILDDIR):
@mkdir -p $@ @mkdir -p $@
$(BUILDDIR)/$(notdir $(IMAGE)): $(BUILDDIR) image/data.go *.go VERSION.txt $(BUILDDIR)/$(notdir $(IMAGE)): $(BUILDDIR) $(IMAGE_DATA_FILE) *.go VERSION.txt
@echo "+ $@" @echo "+ $@"
CGO_ENABLED=1 go build \ CGO_ENABLED=1 go build \
-tags "$(BUILDTAGS) static_build" \ -tags "$(BUILDTAGS) static_build" \
@ -101,8 +102,8 @@ image.tar:
docker pull --disable-content-trust=false $(IMAGE) docker pull --disable-content-trust=false $(IMAGE)
docker export $(shell docker create $(IMAGE) sh) > $@ docker export $(shell docker create $(IMAGE) sh) > $@
.PHONY: image/data.go .PHONY: $(IMAGE_DATA_FILE)
image/data.go: image.tar $(IMAGE_DATA_FILE): image.tar
GOMAXPROCS=1 go generate GOMAXPROCS=1 go generate
.PHONY: clean .PHONY: clean
@ -112,7 +113,7 @@ clean: ## Cleanup any build binaries or packages
$(RM) -r $(BUILDDIR) $(RM) -r $(BUILDDIR)
@sudo $(RM) -r rootfs @sudo $(RM) -r rootfs
$(RM) *.tar $(RM) *.tar
$(RM) image/data.go $(RM) $(IMAGE_DATA_FILE)
-@docker rm $(shell docker ps -aq) /dev/null 2>&1 -@docker rm $(shell docker ps -aq) /dev/null 2>&1
.PHONY: help .PHONY: help

89
README.md
View file

@ -1,5 +1,7 @@
# binctr # binctr
[![Build Status](https://travis-ci.org/genuinetools/binctr.svg?branch=master)](https://travis-ci.org/genuinetools/binctr)
Create fully static, including rootfs embedded, binaries that pop you directly Create fully static, including rootfs embedded, binaries that pop you directly
into a container. **Can be run by an unprivileged user.** into a container. **Can be run by an unprivileged user.**
@ -8,17 +10,12 @@ Check out the blog post: [blog.jessfraz.com/post/getting-towards-real-sandbox-co
This is based off a crazy idea from [@crosbymichael](https://github.com/crosbymichael) This is based off a crazy idea from [@crosbymichael](https://github.com/crosbymichael)
who first embedded an image in a binary :D who first embedded an image in a binary :D
**NOTE** **HISTORY**
You may have noticed you can't file an issue. That's because this is using a crazy
person's (aka my) fork of libcontainer and until I get the patches into upstream
there's no way in hell I'm fielding issues from whoever is crazy enough to try this.
If you are interested, I have started a thread on the
[mailing list](https://groups.google.com/a/opencontainers.org/forum/#!topic/dev/yutVaSLcqWI)
with my proposed steps to make this a reality. Note, adding a `+1` is _not_ of any
value to anyone though.
This project used to use a POC fork of libcontainer until [@cyphar](https://github.com/cyphar)
got rootless containers into upstream! Woohoo!
Check out the original thread on the
[mailing list](https://groups.google.com/a/opencontainers.org/forum/#!topic/dev/yutVaSLcqWI).
**Nginx running with my user "jessie".** **Nginx running with my user "jessie".**
@ -27,21 +24,18 @@ value to anyone though.
### Building ### Building
This uses the new Golang vendoring so you need go 1.6 or You will need `libapparmor-dev` and `libseccomp-dev`.
`GO15VENDOREXPERIMENT=1` in your env.
You will also need `libapparmor-dev` and `libseccomp-dev`.
Most importantly you need userns in your kernel (`CONFIG_USER_NS=y`) Most importantly you need userns in your kernel (`CONFIG_USER_NS=y`)
or else this won't even work. or else this won't even work.
```console ```console
$ make static $ make build
Static container created at: ./bin/alpine Static container created at: ./bin/alpine
Run with ./bin/alpine Run with ./bin/alpine
# building a different base image # building a different base image
$ make static IMAGE=busybox $ make build IMAGE=busybox
Static container created at: ./bin/busybox Static container created at: ./bin/busybox
Run with ./bin/busybox Run with ./bin/busybox
``` ```
@ -53,40 +47,9 @@ $ ./alpine
$ ./busybox --read-only $ ./busybox --read-only
``` ```
### Running with custom commands & args
```console
# let's make an small web server binary
$ make static IMAGE=r.j3ss.co/hello
Static container created at: ./bin/hello
Run with ./bin/hello
$ ./bin/hello /hello
2016/04/18 04:59:25 Starting server on port: 8080
# But we have no networking! How can we reach it! Don't worry we can fix this
# Let's install my super cool binary for setting up networking in a container
$ go get github.com/jessfraz/netns
# now we can add this as a prestart hook
$ ./bin/hello --hook prestart:netns /hello
2016/04/18 04:59:25 Starting server on port: 8080
# let's get the ip file
$ cat .ip
172.19.0.10
# we can curl it
$ curl -sSL $(cat .ip):8080
Hello World!
Success!
```
### Usage ### Usage
```console ```console
$ ./bin/alpine -h
_ _ _ _ _ _
| |__ (_)_ __ ___| |_ _ __ | |__ (_)_ __ ___| |_ _ __
| '_ \| | '_ \ / __| __| '__| | '_ \| | '_ \ / __| __| '__|
@ -96,28 +59,28 @@ $ ./bin/alpine -h
Fully static, self-contained container including the rootfs Fully static, self-contained container including the rootfs
that can be run by an unprivileged user. that can be run by an unprivileged user.
Embedded Image: alpine - sha256:70c557e50ed630deed07cbb0dc4d28aa0f2a485cf7af124cc48f06bce83f784b Embedded Image: alpine - sha256:3fd9065eaf02feaf94d68376da52541925650b81698c53c6824d92ff63f98353
Version: 0.1.0 Version: 0.1.0
GitCommit: 13fcd27-dirty Build: 91b3ab5-dirty
-D run in debug mode -D run in debug mode
-console string -console-socket string
the pty slave path for use with the container path to an AF_UNIX socket which will receive a file descriptor referencing the master end of the console's pseudoterminal
-d detach from the container's process -d detach from the container's process
-hook value -hook value
Hooks to prefill into spec file. (ex. --hook prestart:netns) (default []) Hooks to prefill into spec file. (ex. --hook prestart:netns)
-id string -id string
container ID (default "nginx") container ID
-pid-file string -pid-file string
specify the file to write the process id to specify the file to write the process id to
-read-only -read-only
make container filesystem readonly make container filesystem readonly
-root string -root string
root directory of container state, should be tmpfs (default "/run/binctr") root directory of container state, should be tmpfs (default "/tmp/binctr")
-t allocate a tty for the container (default true) -t allocate a tty for the container (default true)
-v print version and exit (shorthand) -v print version and exit (shorthand)
-version -version
print version and exit print version and exit
``` ```
## Cool things ## Cool things
@ -125,7 +88,3 @@ $ ./bin/alpine -h
The binary spawned does NOT need to oversee the container process if you The binary spawned does NOT need to oversee the container process if you
run in detached mode with a PID file. You can have it watched by the user mode run in detached mode with a PID file. You can have it watched by the user mode
systemd so that this binary is really just the launcher :) systemd so that this binary is really just the launcher :)
## Caveats
- cgroups: coming soon