Fully static, unprivileged, self-contained, containers as executable binaries.

Clone this repo:


  1. e6fe5df fix chown and seccomp by Jess Frazelle · 4 weeks ago master
  2. 74ea85e Revert "update to use containerd seccomp package" by Jess Frazelle · 4 weeks ago
  3. 4f8e065 update to use containerd seccomp package by Jess Frazelle · 4 weeks ago
  4. d150d41 update travis by Jess Frazelle · 4 weeks ago
  5. b426cb7 Merge pull request #5 from AkihiroSuda/readme-lfs by Jess Frazelle · 4 weeks ago


Build Status Go Report Card GoDoc

Create fully static, including rootfs embedded, binaries that pop you directly into a container. Can be run by an unprivileged user.

Check out the blog post: blog.jessfraz.com/post/getting-towards-real-sandbox-containers.

This is based off a crazy idea from @crosbymichael who first embedded an image in a binary :D

HISTORY: This project used to use a POC fork of libcontainer until @cyphar got rootless containers into upstream! Woohoo! Check out the original thread on the mailing list.

Checking out this repo

You need to install git-lfs.

$ git lfs clone git@github.com:genuinetools/binctr.git


You will need libapparmor-dev and libseccomp-dev.

Most importantly you need userns in your kernel (CONFIG_USER_NS=y) or else this won't even work.

# building the alpine example
$ make alpine
Static container created at: ./alpine

# building the busybox example
$ make busybox
Static container created at: ./busybox

# building the cl-k8s example
$ make cl-k8s
Static container created at: ./cl-k8s


$ ./alpine
$ ./busybox
$ ./cl-k8s

Cool things

The binary spawned does NOT need to oversee the container process if you run in detached mode with a PID file. You can have it watched by the user mode systemd so that this binary is really just the launcher :)