A tiny minimal container runtime written in Rust.

Overview

vas-quod

A tiny minimal container runtime written in Rust. The idea is to support a minimal isolated containers without using existing runtimes, vas-quod uses linux syscall to achieve isolated containers { namespaces, cgroups, chroot, unshare }.

Image

Usage

Usage: ./vas-quod - minimal container runtime [options]
Options:
    -r, --rootfs path   Path to root file-system eg. --rootfs /home/alpinefs
    -c, --command command
                        Command to be executed eg. --command `curl
                        http://google.com`
    -h, --help          print this help menu
  • rootfs

Path to root filesystem

Download a sample root filesystem from https://github.com/flouthoc/vas-quod/releases/download/rootfs/rootfs.tar.gz

  • command

Container entrypoint command

Roadmap

  • Add Support for network bridges.
  • Implement -m or --mount to mount read-only files from host machine.
Comments
  • Exit with status code of child process; ensure `unmount_proc()` always runs

    Exit with status code of child process; ensure `unmount_proc()` always runs

    A few minor changes:

    • Ensure the rust process exits with the exit code of the child process run in the container
    • Use waitpid to wait for child process exit (necessary to obtain the child's exit code)
    • Use a destructor to ensure unmount_proc() runs regardless of anything else going wrong (the closest Rust gets to a try/finally block)
    opened by timboudreau 4
  • Allow for shell-style or plain word vector exec

    Allow for shell-style or plain word vector exec

    What do you think about this change?

    The old style of execution did apply shell-like word splitting, but didn't allow the use of a more general shell command. On the other hand, it didn't allow passing args unescaped, either.

    opened by solidsnack 3
  • Compare with bubblewrap / unshare

    Compare with bubblewrap / unshare

    Hi, I played the last days with unshare and bubblewrap / bwrap.

    Use all possible namespaces, mount files / directories and a way to get a network namespace working inside of the container would be nice...

    Bwrap lacks netwoking an optional config file instead of just cli arguments.

    opened by pwFoo 3
  • Simplify type of run(); clarify error messages

    Simplify type of run(); clarify error messages

    This pull request adds:

    1. Flatter (less nested) error handling.
    2. True error exit codes for some errors.
    3. A more robust type signature for run()
    4. More descriptive error messages.
    opened by solidsnack 1
  • Filesystem isolation fix: Switch to pivot_root for mounting rootfs

    Filesystem isolation fix: Switch to pivot_root for mounting rootfs

    Following PR fixes:https://github.com/flouthoc/vas-quod/issues/1 Containers could easily break filesystem isolation using nsenter --mount=/proc/self/ns/mnt ls /home following scenario has been fixed in this Pull Request.

    security 
    opened by flouthoc 0
  • Rationale for explicitly calling unshare(2) in child_fn after clone(2)

    Rationale for explicitly calling unshare(2) in child_fn after clone(2)

    According to the man page of unshare(2), https://man7.org/linux/man-pages/man2/unshare.2.html

    CLONE_NEWNS: This flag has the same effect as the clone(2) CLONE_NEWNS flag.

    May be a trivial question, but forgive me since I am new to this area.

    opened by lujiajing1126 0
Releases(rootfs)
Owner
flouthoc
Road to Craftsman πŸ›€
flouthoc
Easy to use, extendable, OCI-compliant container runtime written in pure Rust

PURA - Lightweight & OCI-compliant container runtime Pura is an experimental Linux container runtime written in pure and dependency-minimal Rust. The

Branimir Malesevic 73 Jan 9, 2023
A secure container runtime with OCI interface

Quark Container Welcome to Quark Container. This repository is the home of Quark Containers code. What's Quark Container Quark Container is high perfo

null 175 Dec 29, 2022
dedock is a container runtime, with a particular focus on enabling embedded software development across all platforms

dedock is a container runtime, with a particular focus on enabling embedded software development across all platforms. It supports native "containers" on both Linux and macOS.

Daniel Mangum 12 May 27, 2023
VMM-based macOS Native Container Runtime

Akari: VMM-based macOS Native Container Runtime Akari is an experimental OCI runtime aims to run macOS native containers on macOS. This runtime works

Akira Moroo 29 Jul 15, 2024
Container monitor in Rust

Conmon-rs A pod level OCI container runtime monitor. The goal of this project is to provide a container monitor in Rust. The scope of conmon-rs encomp

Containers 84 Dec 21, 2022
A lite tool to make systemd work in any container(Windows Subsystem for Linux 2, Docker, Podman, etc.)

Angea Naming from hydrangea(γ‚’γ‚Έγ‚΅γ‚€) A lite tool to make systemd work in any container(Windows Subsystem for Linux 2, Docker, Podman, etc.) WSL1 is not s

いんしさくら 16 Dec 5, 2022
insject is a tool for poking at containers. It enables you to run an arbitrary command in a container or any mix of Linux namespaces.

Insject insject is a tool for poking at containers. It enables you to run an arbitrary command in a container or any mix of Linux namespaces. It suppo

NCC Group Plc 44 Nov 9, 2022
Hot-plug devices into a Docker container as they are plugged.

container-hotplug Hot-plug (and unplug) devices into a Docker container as they are (un)plugged. Description Docker provides the --device flag to give

lowRISC 2 Oct 17, 2022
Rust client for the huggingface hub aiming for minimal subset of features over `huggingface-hub` python package

This crates aims to emulate and be compatible with the huggingface_hub python package. compatible means the Api should reuse the same files skipping d

Hugging Face 9 Jul 20, 2023
Rocker is a minimal docker implementation for educational purposes.

Rocker is a minimal docker implementation for educational purposes inspired by gocker. Rocker uses linux kernel features (namespace, cgroup, chroot etc.) to isolate container processes and limit available resourses.

Daiki Miura 16 Feb 14, 2022
oci-image and oci-runtime spec in rust.

oci-lib Oci-Spec for your container runtime or container registry. Oci-lib is a rust port for original oci spec written in go. Following crate contain

flouthoc 12 Mar 10, 2022
Experimental implementation of the oci-runtime in Rust

youki Experimental implementation of the oci-runtime in Rust Overview youki is an implementation of runtime-spec in Rust, referring to runc. This proj

utam0k 12 Sep 23, 2022
youki is an implementation of the OCI runtime-spec in Rust, similar to runc.

youki is an implementation of the OCI runtime-spec in Rust, similar to runc.

Containers 4.2k Dec 29, 2022
Rust Kubernetes client and controller runtime

kube-rs Rust client for Kubernetes in the style of a more generic client-go, a runtime abstraction inspired by controller-runtime, and a derive macro

kube-rs 1.8k Jan 8, 2023
A simple containerized application manage system like Kubernetes, but written in Rust

rMiniK8s A simple dockerized application management system like Kubernetes, written in Rust, plus a simple FaaS implementation. Course Project for SJT

markcty 15 Jul 8, 2023
Automated builded images for rust-lang with rustup, "the ultimate way to install RUST"

rustup Automated builded images on store and hub for rust-lang with musl added, using rustup "the ultimate way to install RUST". tag changed: all3 ->

εˆ˜ε†² 83 Nov 30, 2022
docker-rust β€” the official Rust Docker image

About this Repo This is the Git repo of the Docker official image for rust. See the Docker Hub page for the full readme on how to use this Docker imag

The Rust Programming Language 321 Dec 11, 2022
Docker images for compiling static Rust binaries using musl-libc and musl-gcc, with static versions of useful C libraries. Supports openssl and diesel crates.

rust-musl-builder: Docker container for easily building static Rust binaries Source on GitHub Changelog UPDATED: Major updates in this release which m

Eric Kidd 1.3k Jan 1, 2023
Very small rust docker image

mini-docker-rust Very small rust docker image. This is an example project on how to build very small docker images for a rust project. The resulting i

null 155 Jan 1, 2023