A tiny minimal container runtime written in Rust.

Last update: Dec 26, 2022

Overview

vas-quod

A tiny minimal container runtime written in Rust. The idea is to support a minimal isolated containers without using existing runtimes, vas-quod uses linux syscall to achieve isolated containers { namespaces, cgroups, chroot, unshare }.

Usage

Usage: ./vas-quod - minimal container runtime [options]
Options:
    -r, --rootfs path   Path to root file-system eg. --rootfs /home/alpinefs
    -c, --command command
                        Command to be executed eg. --command `curl
                        http://google.com`
    -h, --help          print this help menu

rootfs

Path to root filesystem

Download a sample root filesystem from https://github.com/flouthoc/vas-quod/releases/download/rootfs/rootfs.tar.gz

command

Container entrypoint command

Roadmap

Add Support for network bridges.
Implement -m or --mount to mount read-only files from host machine.

Comments

Exit with status code of child process; ensure `unmount_proc()` always runs
A few minor changes:

Ensure the rust process exits with the exit code of the child process run in the container

Use waitpid to wait for child process exit (necessary to obtain the child's exit code)

Use a destructor to ensure unmount_proc() runs regardless of anything else going wrong (the closest Rust gets to a try/finally block)
opened by timboudreau 4
Allow for shell-style or plain word vector exec

What do you think about this change?

The old style of execution did apply shell-like word splitting, but didn't allow the use of a more general shell command. On the other hand, it didn't allow passing args unescaped, either.

opened by solidsnack 3
Compare with bubblewrap / unshare

Hi, I played the last days with unshare and bubblewrap / bwrap.

Use all possible namespaces, mount files / directories and a way to get a network namespace working inside of the container would be nice...

Bwrap lacks netwoking an optional config file instead of just cli arguments.

opened by pwFoo 3
Simplify type of run(); clarify error messages
This pull request adds:

Flatter (less nested) error handling.

True error exit codes for some errors.

A more robust type signature for run()

More descriptive error messages.
opened by solidsnack 1
Filesystem isolation fix: Switch to pivot_root for mounting rootfs

Following PR fixes:https://github.com/flouthoc/vas-quod/issues/1 Containers could easily break filesystem isolation using nsenter --mount=/proc/self/ns/mnt ls /home following scenario has been fixed in this Pull Request.
security

opened by flouthoc 0
Rationale for explicitly calling unshare(2) in child_fn after clone(2)

According to the man page of unshare(2), https://man7.org/linux/man-pages/man2/unshare.2.html

CLONE_NEWNS: This flag has the same effect as the clone(2) CLONE_NEWNS flag.

May be a trivial question, but forgive me since I am new to this area.

opened by lujiajing1126 0

Releases(rootfs)

rootfs(Dec 27, 2020)

A sample linux root-filesystem.
Source code(tar.gz)
Source code(zip)
rootfs.tar.gz(253.42 MB)

Owner

flouthoc

Road to Craftsman 🛤

GitHub

Easy to use, extendable, OCI-compliant container runtime written in pure Rust

PURA - Lightweight & OCI-compliant container runtime Pura is an experimental Linux container runtime written in pure and dependency-minimal Rust. The

73 Jan 9, 2023

A secure container runtime with OCI interface

Quark Container Welcome to Quark Container. This repository is the home of Quark Containers code. What's Quark Container Quark Container is high perfo

175 Dec 29, 2022

dedock is a container runtime, with a particular focus on enabling embedded software development across all platforms

dedock is a container runtime, with a particular focus on enabling embedded software development across all platforms. It supports native "containers" on both Linux and macOS.

12 May 27, 2023

Container monitor in Rust

Conmon-rs A pod level OCI container runtime monitor. The goal of this project is to provide a container monitor in Rust. The scope of conmon-rs encomp

84 Dec 21, 2022

A lite tool to make systemd work in any container(Windows Subsystem for Linux 2, Docker, Podman, etc.)

Angea Naming from hydrangea(アジサイ) A lite tool to make systemd work in any container(Windows Subsystem for Linux 2, Docker, Podman, etc.) WSL1 is not s

16 Dec 5, 2022

insject is a tool for poking at containers. It enables you to run an arbitrary command in a container or any mix of Linux namespaces.

Insject insject is a tool for poking at containers. It enables you to run an arbitrary command in a container or any mix of Linux namespaces. It suppo

44 Nov 9, 2022

Hot-plug devices into a Docker container as they are plugged.

container-hotplug Hot-plug (and unplug) devices into a Docker container as they are (un)plugged. Description Docker provides the --device flag to give

2 Oct 17, 2022

Rust client for the huggingface hub aiming for minimal subset of features over `huggingface-hub` python package

This crates aims to emulate and be compatible with the huggingface_hub python package. compatible means the Api should reuse the same files skipping d

9 Jul 20, 2023

Rocker is a minimal docker implementation for educational purposes.

Rocker is a minimal docker implementation for educational purposes inspired by gocker. Rocker uses linux kernel features (namespace, cgroup, chroot etc.) to isolate container processes and limit available resourses.

16 Feb 14, 2022

oci-image and oci-runtime spec in rust.

oci-lib Oci-Spec for your container runtime or container registry. Oci-lib is a rust port for original oci spec written in go. Following crate contain

12 Mar 10, 2022

Experimental implementation of the oci-runtime in Rust

youki Experimental implementation of the oci-runtime in Rust Overview youki is an implementation of runtime-spec in Rust, referring to runc. This proj

12 Sep 23, 2022

youki is an implementation of the OCI runtime-spec in Rust, similar to runc.

4.2k Dec 29, 2022

Rust Kubernetes client and controller runtime

kube-rs Rust client for Kubernetes in the style of a more generic client-go, a runtime abstraction inspired by controller-runtime, and a derive macro

1.8k Jan 8, 2023

A simple containerized application manage system like Kubernetes, but written in Rust

rMiniK8s A simple dockerized application management system like Kubernetes, written in Rust, plus a simple FaaS implementation. Course Project for SJT

15 Jul 8, 2023

Automated builded images for rust-lang with rustup, "the ultimate way to install RUST"

rustup Automated builded images on store and hub for rust-lang with musl added, using rustup "the ultimate way to install RUST". tag changed: all3 ->

83 Nov 30, 2022

docker-rust — the official Rust Docker image

About this Repo This is the Git repo of the Docker official image for rust. See the Docker Hub page for the full readme on how to use this Docker imag

321 Dec 11, 2022

Docker images for compiling static Rust binaries using musl-libc and musl-gcc, with static versions of useful C libraries. Supports openssl and diesel crates.

rust-musl-builder: Docker container for easily building static Rust binaries Source on GitHub Changelog UPDATED: Major updates in this release which m

1.3k Jan 1, 2023

Very small rust docker image

mini-docker-rust Very small rust docker image. This is an example project on how to build very small docker images for a rust project. The resulting i

155 Jan 1, 2023

Docker images for compiling static Rust binaries using musl-cross

rust-musl-cross Docker images for compiling static Rust binaries using musl-cross-make, inspired by rust-musl-builder Prebuilt images Currently we hav

365 Dec 30, 2022