bandsocks

Crates.iobandsocks
lib.rsbandsocks
version0.2.1
sourcesrc
created_at2020-10-06 22:35:28.300346
updated_at2020-12-04 04:42:27.240226
descriptionExperimental embeddable container sandbox
homepage
repositoryhttps://github.com/scanlime/bandsocks
max_upload_size
id296735
size421,780
Micah Elizabeth Scott (scanlime)

documentation

README

πŸ…±οΈπŸ§¦ bandsocks

it's a sandbox!

it's a container runtime!

it's designed to nest inside unprivileged docker containers!

it's highly experimental and doesn't actually work yet!

🎢 🎹🧦 🎸🧦 🎸🧦 🎷🧦 🎺🧦 πŸ₯πŸ§¦ 🎢

Docs Crates.io Build Status

Takes inspiration from gaol, User Mode Linux, gvisor, chromium, and podman. The goal is to add an extra level of isolation to compute workloads we run as non-root within containers which are already somewhat locked down. This means that most high-powered kernel features like KVM and even user namespaces are off the table. The approach this project uses is based on seccomp to restrict system calls, and an emulated filesystem.

The intended API for this package is fairly high-level:

  • download/unpack docker images into an emulated filesystem
  • attach streams to emulated files for I/O
  • run commands in the container

Non-goals include storage and networking. Networking will be fully disabled, and the virtual filesystem will be mostly in an immutable ramdisk made from images downloaded through a regsitry. Complete syscall support is also not a priority, as long as it can run computational workloads like media codecs.

Commit count: 496

cargo fmt