Skip to content
Fully static, unprivileged, self-contained, containers as executable binaries.
Go Makefile
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.


Type Name Latest commit message Commit time
Failed to load latest commit information.
container update vendor Sep 25, 2018
examples update travis May 25, 2019
.gitignore update Sep 25, 2018
.travis.yml update travis May 25, 2019
Gopkg.lock update vendor Sep 25, 2018
Gopkg.toml fix chown and seccomp Mar 22, 2018
LICENSE update go generated project files Mar 20, 2018
Makefile cheange order Sep 25, 2018
VERSION.txt update Sep 25, 2018 update travis May 25, 2019


Build Status Go Report Card GoDoc

Create fully static, including rootfs embedded, binaries that pop you directly into a container. Can be run by an unprivileged user.

Check out the blog post:

This is based off a crazy idea from @crosbymichael who first embedded an image in a binary :D

HISTORY: This project used to use a POC fork of libcontainer until @cyphar got rootless containers into upstream! Woohoo! Check out the original thread on the mailing list.

Table of Contents

Checking out this repo

$ git clone


You will need libapparmor-dev and libseccomp-dev.

Most importantly you need userns in your kernel (CONFIG_USER_NS=y) or else this won't even work.

# building the alpine example
$ make alpine
Static container created at: ./alpine

# building the busybox example
$ make busybox
Static container created at: ./busybox

# building the cl-k8s example
$ make cl-k8s
Static container created at: ./cl-k8s


$ ./alpine
$ ./busybox
$ ./cl-k8s

Cool things

The binary spawned does NOT need to oversee the container process if you run in detached mode with a PID file. You can have it watched by the user mode systemd so that this binary is really just the launcher :)

You can’t perform that action at this time.