Fully static, unprivileged, self-contained, containers as executable binaries.
Switch branches/tags
Nothing to show
Clone or download
jessfraz cheange order
Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
Latest commit 6a99940 Sep 25, 2018
Failed to load latest commit information.
container update vendor Sep 25, 2018
examples update cl-k8s Mar 20, 2018
vendor fix vendor Sep 25, 2018
.gitignore update Sep 25, 2018
.travis.yml fix apparmor Sep 25, 2018
Gopkg.lock update vendor Sep 25, 2018
Gopkg.toml fix chown and seccomp Mar 22, 2018
LICENSE update go generated project files Mar 20, 2018
Makefile cheange order Sep 25, 2018
README.md update readme Jun 12, 2018
VERSION.txt update Sep 25, 2018
basic.mk update Sep 25, 2018



Build Status Go Report Card GoDoc

Create fully static, including rootfs embedded, binaries that pop you directly into a container. Can be run by an unprivileged user.

Check out the blog post: blog.jessfraz.com/post/getting-towards-real-sandbox-containers.

This is based off a crazy idea from @crosbymichael who first embedded an image in a binary :D

HISTORY: This project used to use a POC fork of libcontainer until @cyphar got rootless containers into upstream! Woohoo! Check out the original thread on the mailing list.

Checking out this repo

$ git clone git@github.com:genuinetools/binctr.git


You will need libapparmor-dev and libseccomp-dev.

Most importantly you need userns in your kernel (CONFIG_USER_NS=y) or else this won't even work.

# building the alpine example
$ make alpine
Static container created at: ./alpine

# building the busybox example
$ make busybox
Static container created at: ./busybox

# building the cl-k8s example
$ make cl-k8s
Static container created at: ./cl-k8s


$ ./alpine
$ ./busybox
$ ./cl-k8s

Cool things

The binary spawned does NOT need to oversee the container process if you run in detached mode with a PID file. You can have it watched by the user mode systemd so that this binary is really just the launcher :)