Crates.io | bandsocks |
lib.rs | bandsocks |
version | 0.2.1 |
source | src |
created_at | 2020-10-06 22:35:28.300346 |
updated_at | 2020-12-04 04:42:27.240226 |
description | Experimental embeddable container sandbox |
homepage | |
repository | https://github.com/scanlime/bandsocks |
max_upload_size | |
id | 296735 |
size | 421,780 |
it's a sandbox!
it's a container runtime!
it's designed to nest inside unprivileged docker containers!
it's highly experimental and doesn't actually work yet!
πΆ πΉπ§¦ πΈπ§¦ πΈπ§¦ π·π§¦ πΊπ§¦ π₯𧦠πΆ
Takes inspiration from gaol, User Mode Linux, gvisor, chromium, and podman. The goal is to add an extra level of isolation to compute workloads we run as non-root within containers which are already somewhat locked down. This means that most high-powered kernel features like KVM and even user namespaces are off the table. The approach this project uses is based on seccomp to restrict system calls, and an emulated filesystem.
The intended API for this package is fairly high-level:
Non-goals include storage and networking. Networking will be fully disabled, and the virtual filesystem will be mostly in an immutable ramdisk made from images downloaded through a regsitry. Complete syscall support is also not a priority, as long as it can run computational workloads like media codecs.