mirrors/binctr
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
mirror of https://github.com/genuinetools/binctr
41 commits 2 branches 0 tags 35 MiB
Go 90%
Makefile 10%
Find a file
Jess Frazelle 1f926d9a72 add exapmples 
Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
2018-03-20 01:56:53 -04:00
container updates 2018-03-20 01:54:27 -04:00
examples add exapmples 2018-03-20 01:56:53 -04:00
vendor add better generate 2018-03-20 01:33:56 -04:00
.gitignore add exapmples 2018-03-20 01:56:53 -04:00
.travis.yml update 2018-03-19 23:33:13 -04:00
Gopkg.lock add better generate 2018-03-20 01:33:56 -04:00
Gopkg.toml add better generate 2018-03-20 01:33:56 -04:00
LICENSE update go generated project files 2018-03-19 21:52:49 -04:00
Makefile updates 2018-03-20 01:54:27 -04:00
README.md fix readme 2018-03-20 01:55:35 -04:00

README.md

binctr

Build Status Go Report Card GoDoc

Create fully static, including rootfs embedded, binaries that pop you directly into a container. Can be run by an unprivileged user.

Check out the blog post: blog.jessfraz.com/post/getting-towards-real-sandbox-containers.

This is based off a crazy idea from @crosbymichael who first embedded an image in a binary :D

HISTORY: This project used to use a POC fork of libcontainer until @cyphar got rootless containers into upstream! Woohoo! Check out the original thread on the mailing list.

Building

You will need libapparmor-dev and libseccomp-dev.

Most importantly you need userns in your kernel (CONFIG_USER_NS=y) or else this won't even work.

# building the alpine example
$ make alpine
Static container created at: ./alpine

# building the busybox example
$ make alpine
Static container created at: ./busybox

Running

$ ./alpine
$ ./busybox

Cool things

The binary spawned does NOT need to oversee the container process if you run in detached mode with a PID file. You can have it watched by the user mode systemd so that this binary is really just the launcher :)