Create fully static, including rootfs embedded, binaries that pop you directly into a container. Can be run by an unprivileged user.
Check out the blog post: blog.jessfraz.com/post/getting-towards-real-sandbox-containers.
This is based off a crazy idea from @crosbymichael who first embedded an image in a binary :D
NOTE
You may have noticed you can't file an issue. That's because this is using a crazy person's (aka my) fork of libcontainer and until I get the patches into upstream there's no way in hell I'm fielding issues from whoever is crazy enough to try this.
If you are interested, I have started a thread on the
mailing list
with my proposed steps to make this a reality. Note, adding a +1 is not of any
value to anyone though.
Nginx running with my user "jessie".
This uses the new Golang vendoring so you need go 1.6 or
GO15VENDOREXPERIMENT=1 in your env.
You will also need libapparmor-dev and libseccomp-dev.
Most importantly you need userns in your kernel (CONFIG_USER_NS=y)
or else this won't even work.
$ make static
Static container created at: ./bin/alpine
Run with ./bin/alpine
# building a different base image
$ make static IMAGE=busybox
Static container created at: ./bin/busybox
Run with ./bin/busybox$ ./alpine
$ ./busybox --read-only# let's make an small web server binary
$ make static IMAGE=r.j3ss.co/hello
Static container created at: ./bin/hello
Run with ./bin/hello
$ ./bin/hello /hello
2016/04/18 04:59:25 Starting server on port: 8080
# But we have no networking! How can we reach it! Don't worry we can fix this
# Let's install my super cool binary for setting up networking in a container
$ go get github.com/jfrazelle/netns
# now we can add this as a prestart hook
$ ./bin/hello --hook prestart:netns /hello
2016/04/18 04:59:25 Starting server on port: 8080
# let's get the ip file
$ cat .ip
172.19.0.10
# we can curl it
$ curl -sSL $(cat .ip):8080
Hello World!
Success!$ ./bin/alpine -h
_ _ _
| |__ (_)_ __ ___| |_ _ __
| '_ \| | '_ \ / __| __| '__|
| |_) | | | | | (__| |_| |
|_.__/|_|_| |_|\___|\__|_|
Fully static, self-contained container including the rootfs
that can be run by an unprivileged user.
Embedded Image: alpine - sha256:70c557e50ed630deed07cbb0dc4d28aa0f2a485cf7af124cc48f06bce83f784b
Version: 0.1.0
GitCommit: 13fcd27-dirty
-D run in debug mode
-console string
the pty slave path for use with the container
-d detach from the container's process
-hook value
Hooks to prefill into spec file. (ex. --hook prestart:netns) (default [])
-id string
container ID (default "nginx")
-pid-file string
specify the file to write the process id to
-read-only
make container filesystem readonly
-root string
root directory of container state, should be tmpfs (default "/run/binctr")
-t allocate a tty for the container (default true)
-v print version and exit (shorthand)
-version
print version and exitThe binary spawned does NOT need to oversee the container process if you run in detached mode with a PID file. You can have it watched by the user mode systemd so that this binary is really just the launcher :)
- cgroups: coming soon