Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/genuinetools/binctr

Fully static, unprivileged, self-contained, containers as executable binaries.
https://github.com/genuinetools/binctr

Last synced: 25 days ago
JSON representation

Fully static, unprivileged, self-contained, containers as executable binaries.

Host: GitHub
URL: https://github.com/genuinetools/binctr
Owner: genuinetools
License: mit
Created: 2016-04-15T06:43:22.000Z (over 8 years ago)
Default Branch: master
Last Pushed: 2019-05-25T20:55:14.000Z (over 5 years ago)
Last Synced: 2024-09-26T23:04:36.877Z (about 1 month ago)
Language: Go
Homepage: https://blog.jessfraz.com/post/getting-towards-real-sandbox-containers/
Size: 29.5 MB
Stars: 2,513
Watchers: 75
Forks: 80
Open Issues: 3
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome - genuinetools/binctr - Fully static, unprivileged, self-contained, containers as executable binaries. (Go)
awesome-repositories - genuinetools/binctr - Fully static, unprivileged, self-contained, containers as executable binaries. (Go)

README

        # binctr

[![Build Status](https://travis-ci.org/genuinetools/binctr.svg?branch=master)](https://travis-ci.org/genuinetools/binctr)

[![Go Report Card](https://goreportcard.com/badge/github.com/genuinetools/binctr)](https://goreportcard.com/report/github.com/genuinetools/binctr)

[![GoDoc](https://godoc.org/github.com/genuinetools/binctr?status.svg)](https://godoc.org/github.com/genuinetools/binctr)

Create fully static, including rootfs embedded, binaries that pop you directly

into a container. **Can be run by an unprivileged user.**

Check out the blog post: [blog.jessfraz.com/post/getting-towards-real-sandbox-containers](https://blog.jessfraz.com/post/getting-towards-real-sandbox-containers/).

This is based off a crazy idea from [@crosbymichael](https://github.com/crosbymichael)

who first embedded an image in a binary :D

**HISTORY:** This project used to use a POC fork of libcontainer until [@cyphar](https://github.com/cyphar)

got rootless containers into upstream! Woohoo!

Check out the original thread on the 

[mailing list](https://groups.google.com/a/opencontainers.org/forum/#!topic/dev/yutVaSLcqWI).

**Table of Contents**

  * [Checking out this repo](#checking-out-this-repo)

  * [Building](#building)

  * [Running](#running)

- [Cool things](#cool-things)

### Checking out this repo

```console

$ git clone [email protected]:genuinetools/binctr.git

```

### Building

You will need `libapparmor-dev` and `libseccomp-dev`.

Most importantly you need userns in your kernel (`CONFIG_USER_NS=y`)

or else this won't even work.

```console

# building the alpine example

$ make alpine

Static container created at: ./alpine

# building the busybox example

$ make busybox

Static container created at: ./busybox

# building the cl-k8s example

$ make cl-k8s

Static container created at: ./cl-k8s

```

### Running

```console

$ ./alpine

$ ./busybox

$ ./cl-k8s

```

## Cool things

The binary spawned does NOT need to oversee the container process if you

run in detached mode with a PID file. You can have it watched by the user mode

systemd so that this binary is really just the launcher :)