Fully static, unprivileged, self-contained, containers as executable binaries.
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
container update vendor Sep 25, 2018
examples update cl-k8s Mar 20, 2018
vendor fix vendor Sep 25, 2018
.gitignore update Sep 25, 2018
.travis.yml Fix golint import path (#10) Oct 22, 2018
Gopkg.lock update vendor Sep 25, 2018
Gopkg.toml fix chown and seccomp Mar 22, 2018
LICENSE update go generated project files Mar 20, 2018
Makefile cheange order Sep 25, 2018
README.md Update ToC for README.md Dec 29, 2018
VERSION.txt update Sep 25, 2018
basic.mk update Sep 25, 2018

README.md

binctr

Build Status Go Report Card GoDoc

Create fully static, including rootfs embedded, binaries that pop you directly into a container. Can be run by an unprivileged user.

Check out the blog post: blog.jessfraz.com/post/getting-towards-real-sandbox-containers.

This is based off a crazy idea from @crosbymichael who first embedded an image in a binary :D

HISTORY: This project used to use a POC fork of libcontainer until @cyphar got rootless containers into upstream! Woohoo! Check out the original thread on the mailing list.

Table of Contents

Checking out this repo

$ git clone git@github.com:genuinetools/binctr.git

Building

You will need libapparmor-dev and libseccomp-dev.

Most importantly you need userns in your kernel (CONFIG_USER_NS=y) or else this won't even work.

# building the alpine example
$ make alpine
Static container created at: ./alpine

# building the busybox example
$ make busybox
Static container created at: ./busybox

# building the cl-k8s example
$ make cl-k8s
Static container created at: ./cl-k8s

Running

$ ./alpine
$ ./busybox
$ ./cl-k8s

Cool things

The binary spawned does NOT need to oversee the container process if you run in detached mode with a PID file. You can have it watched by the user mode systemd so that this binary is really just the launcher :)