binctr

Create fully static, including rootfs embedded, binaries that pop you directly into a container. Can be run by an unprivileged user.

Check out the blog post: blog.jessfraz.com/post/getting-towards-real-sandbox-containers.

This is based off a crazy idea from @crosbymichael who first embedded an image in a binary :D

HISTORY: This project used to use a POC fork of libcontainer until @cyphar got rootless containers into upstream! Woohoo! Check out the original thread on the mailing list.

Checking out this repo

$ git clone git@github.com:genuinetools/binctr.git

Building

You will need libapparmor-dev and libseccomp-dev.

Most importantly you need userns in your kernel (CONFIG_USER_NS=y) or else this won't even work.

# building the alpine example
$ make alpine
Static container created at: ./alpine

# building the busybox example
$ make busybox
Static container created at: ./busybox

# building the cl-k8s example
$ make cl-k8s
Static container created at: ./cl-k8s

Running

$ ./alpine
$ ./busybox
$ ./cl-k8s

Cool things

The binary spawned does NOT need to oversee the container process if you run in detached mode with a PID file. You can have it watched by the user mode systemd so that this binary is really just the launcher :)

Failed to load latest commit information.
container	fix chown and seccomp	Mar 22, 2018
examples	update cl-k8s	Mar 20, 2018
vendor	fix chown and seccomp	Mar 22, 2018
.gitignore	update gitignore	Jun 12, 2018
.travis.yml	update travis	Mar 20, 2018
Gopkg.lock	fix chown and seccomp	Mar 22, 2018
Gopkg.toml	fix chown and seccomp	Mar 22, 2018
LICENSE	update go generated project files	Mar 20, 2018
Makefile	add cl-k8s	Mar 20, 2018
README.md	update readme	Jun 12, 2018

genuinetools/binctr

Join GitHub today

Clone with HTTPS

Launching GitHub Desktop...

Launching GitHub Desktop...

Launching Xcode...

Launching Visual Studio...

README.md

binctr

Checking out this repo

Building

Running

Cool things