afd9d6bc2d | ||
---|---|---|
LICENSE | ||
README.md |
README.md
ISSUE
OpenBSD filesystem doesn't allow hard link with directories, this is essential for the thing to work. Until a solution is imagined, it can't be done as designed.
A solution would be to use a local NFS to share directories and mount them anywhere in the file hierarchy, but this would require a lot more work.
Introduction
pocker
is a tool to mimic docker
on OpenBSD using chroot. Each step of the Pockerfile
create a separate file hierarchy until the last instruction that will be used on the latest incremental version of the hierarchy. Using hard links on the filesystem, it will allow grafting a local directory into the chroot for persistency.
Usage
Create a Pockerfile
with:
PROOT
PKG nginx
RUN /etc/rc.d/nginx
Then run using local /var/pocker/volumes/www
in the chroot at /var/www/htdocs/
:
pocker create nginx
pocker -d /var/pocker/volumes/www/:/var/www/htdocs/ nginx
At the create step in /var/pocker/chroot/nginx/
multiples directories will be created: step1-${line1 checksum}
then a rsync from step1-${line1 checksum}
will be done into step2-${line2 checksum}
and so fort until the last run command creating a last environment still using rsync, allowing to easily clean the pocker enviroment upon restart.
ls /var/pocker/chroot/nginx/
step1-b559bfe9f2d456b96fa836bba713169b5e9a3480e9d67bfb30afc9c38fa5f8bb
step2-5a8ab23cdfb2240ece269ddcffe26c0750d56cb84adb054ae8bcdad51e5841e2
run-0a5f640ed9c98aca444c675f34ef7ee57da0a07d0f20b3565595a42baf2664a4
run -> run-0a5f640ed9c98aca444c675f34ef7ee57da0a07d0f20b3565595a42baf2664a4
Pockerfile syntax
PROOT
: create a chroot using the current system as a model usingproot
commandPKG
: will run pkg_add in the chrootRUN
: command run when the pocker is started
Ideas
- using hard links for each environment step for speed and disk usage efficiency
- allow exporting / importing chroots
- allow replacing
proot
with a list of OpenBSD base sets for a more reproducible environment
Use cases
This is a list of use case I have, and without heavy automation it's complicated to proceed using virtual machines.
- running an email server in its own chroot with lmtp delivery over TCP, if the environment is compromised it shouldn't be able to escape
- running a python app from pip that can't be considered fully trusted
FAQ
Why the name pocker
Because it bluffs about the environment.
Why not docker
Because it's complicated and not easily reproducible on all operating systems.
Why pocker
Because it allows low cost sandboxing without any special requirement.