Create fully static, including rootfs embedded, binaries that pop you directly into a container. Can be run by an unprivileged user.
Check out the blog post: blog.jessfraz.com/post/getting-towards-real-sandbox-containers.
This is based off a crazy idea from @crosbymichael who first embedded an image in a binary :D
$ git clone email@example.com:genuinetools/binctr.git
You will need
Most importantly you need userns in your kernel (
CONFIG_USER_NS=y) or else this won't even work.
# building the alpine example $ make alpine Static container created at: ./alpine # building the busybox example $ make busybox Static container created at: ./busybox # building the cl-k8s example $ make cl-k8s Static container created at: ./cl-k8s
$ ./alpine $ ./busybox $ ./cl-k8s
The binary spawned does NOT need to oversee the container process if you run in detached mode with a PID file. You can have it watched by the user mode systemd so that this binary is really just the launcher :)