genuinetools/binctr

Stars
2,512
Rank 18,265 (Top 0.4 %)
Language
Go
License
MIT License
Created over 8 years ago
Updated over 5 years ago

genuinetools/binctr

genuinetools

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Fully static, unprivileged, self-contained, containers as executable binaries.

binctr

Create fully static, including rootfs embedded, binaries that pop you directly into a container. Can be run by an unprivileged user.

Check out the blog post: blog.jessfraz.com/post/getting-towards-real-sandbox-containers.

This is based off a crazy idea from @crosbymichael who first embedded an image in a binary :D

HISTORY: This project used to use a POC fork of libcontainer until @cyphar got rootless containers into upstream! Woohoo! Check out the original thread on the mailing list.

Table of Contents

Checking out this repo
Building
Running

Cool things

Checking out this repo

$ git clone [email protected]:genuinetools/binctr.git

Building

You will need libapparmor-dev and libseccomp-dev.

Most importantly you need userns in your kernel (CONFIG_USER_NS=y) or else this won't even work.

# building the alpine example
$ make alpine
Static container created at: ./alpine

# building the busybox example
$ make busybox
Static container created at: ./busybox

# building the cl-k8s example
$ make cl-k8s
Static container created at: ./cl-k8s

Running

$ ./alpine
$ ./busybox
$ ./cl-k8s

Cool things

The binary spawned does NOT need to oversee the container process if you run in detached mode with a PID file. You can have it watched by the user mode systemd so that this binary is really just the launcher :)

img

Standalone, daemon-less, unprivileged Dockerfile and OCI compatible container image builder.

reg

Docker registry v2 command line client and repo listing generator with security checks.

bane

Custom & better AppArmor profile generator for Docker containers.

amicontained

Container introspection tool. Find out what container runtime is being used as well as features available.

weather

Weather via the command line.

contained.af

A stupid game for learning about containers, capabilities, and syscalls.

bpfd

Framework for running BPF programs with rules on Linux as a daemon. Container aware.

pepper

A tool for performing actions on GitHub repos or a single repo.

audit

For auditing what collaborators, hooks, and deploy keys you have added on all your GitHub repositories.

ghb0t

A GitHub Bot to automatically delete your fork's branches after a pull request has been merged.

sshb0t

A bot for keeping your ssh authorized_keys up to date with user's GitHub keys, **only** use if you enable 2FA & keep your keys updates.

riddler

A tool to convert docker inspect to the opencontainers runc spec.

netns

Runc hook (OCI compatible) for setting up default bridge networking for containers.

certok

Command line tool to check the validity and expiration dates of SSL certificates.

apk-file

Search apk package contents via the command line.

udict

A command line urban dictionary.

bpfps

A tool to list and diagnose bpf programs. (Who watches the watchers..? :)

1up

A custom Gmail spam filter bot.

releases

Server to show latest GitHub Releases for a set of repositories.

upmail

Email notification hook for https://github.com/sourcegraph/checkup.

magneto

Pipe runc (OCI compatible) events to a stats TUI (Text User Interface).

pkg

A home for various Go packages to be imported by other projects.

www

This is the public website for genuine tools.