Skip to content

ForAllSecure/rootfs_builder

master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
log
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Go

Rootfs Builder

Rootfs builder pulls an image from a Docker registry and extracts the rootfs. This is equivalent to the command:

mkdir rootfs && docker export $(docker create busybox) | tar -C rootfs -xvf -

The rootfs generated is OCI compliant and can be run with RunC. The user can specify the user to chown the files to and whether or not to use a subuid mapping in case they want to unshare user namespaces.

Installation

Install Go 1.12

On debian:sid apt-get install -y golang-1.12-go.

From source:

sudo apt-get update
wget https://dl.google.com/go/go1.12.7.linux-amd64.tar.gz
sudo tar -xvf go1.12.7.linux-amd64.tar.gz
sudo mv go /usr/local
sudo mv /usr/local/go/bin/go /bin

Rootfs builder can be statically built. This statically compiles rootfs builder in a container:

make static

Or if you want to develop Rootfs Builder in a container, run: make dev

Usage

Rootfs builder can be run with: ./rootfs_builder <config.json>

An example config.json looks like:

{
    "Name": "debian:buster",
    "Cert": "/workdir/cert",
    "Retries": 3,
    "Spec":
        {
            "Dest": "/tmp/rootfs",
            "User": "fas",
            "UseSubuid": True
        }
}
  • Name (string, REQUIRED) Name of image to pull.
  • Cert (string, OPTIONAL) Path to cert to add to root CAs for the registry.
  • Retries (int, OPTIONAL) Number of attempts to connect to registry.
  • Spec (dict, OPTIONAL) Spec for the rootfs.
  • Dest (string, OPTIONAL) Destination to extract rootfs to.
  • User (string, OPTIONAL) User to chown files to.
  • UseSubuid (bool, OPTIONAL) Look up subuid mapping for giving user and chown to that uid.

Tests

To run integration tests, run make test.

Credits

This code is from ForAllSecure labs. It is not an official ForAllSecure maintained product or offering.

Some code recycled from Google's Kaniko.

About

Extract rootfs from a Docker image

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •