2021-05-24 00:11:58 +03:00
|
|
|
Undocker
|
|
|
|
--------
|
|
|
|
|
2021-05-24 00:11:58 +03:00
|
|
|
Converts a Docker image (a bunch of layers) to a flattened "rootfs" tarball.
|
2021-05-24 00:11:58 +03:00
|
|
|
|
|
|
|
Why?
|
2021-05-24 00:11:58 +03:00
|
|
|
----
|
2021-05-24 00:11:58 +03:00
|
|
|
|
2021-05-24 00:11:58 +03:00
|
|
|
Docker images became a popular way to distribute applications with their
|
|
|
|
dependencies. However, Docker itself is not the best runtime environment. At
|
|
|
|
least not for everyone.
|
2021-05-24 00:11:58 +03:00
|
|
|
|
2021-05-24 00:11:58 +03:00
|
|
|
Undocker bridges the gap between application images (in docker image format)
|
2021-05-24 00:11:58 +03:00
|
|
|
and container runtimes: now you can run a Docker image with old-fashioned
|
|
|
|
tools: lxc, systemd-nspawn or systemd itself.
|
2021-05-24 00:11:58 +03:00
|
|
|
|
|
|
|
Usage -- extract docker image
|
|
|
|
-----------------------------
|
|
|
|
|
2021-05-24 00:11:58 +03:00
|
|
|
Download `busybox` docker image from docker hub and convert it to a rootfs:
|
2021-05-24 00:11:58 +03:00
|
|
|
|
2021-05-24 00:11:58 +03:00
|
|
|
```
|
2021-05-24 00:11:58 +03:00
|
|
|
skopeo copy docker://docker.io/busybox:latest docker-archive:busybox.tar
|
2021-05-24 00:11:58 +03:00
|
|
|
undocker busybox.tar - | tar -xv
|
2021-05-24 00:11:58 +03:00
|
|
|
```
|
|
|
|
|
2021-05-24 00:11:58 +03:00
|
|
|
Almost the same can be done with a combination of `docker pull` and `docker
|
|
|
|
save`.
|
2021-05-24 00:11:58 +03:00
|
|
|
|
2021-05-24 00:11:58 +03:00
|
|
|
Usage -- systemd-nspawn example
|
|
|
|
-------------------------------
|
|
|
|
|
2021-05-24 00:11:58 +03:00
|
|
|
Start with systemd-nspawn:
|
2021-05-24 00:11:58 +03:00
|
|
|
|
2021-05-24 00:11:58 +03:00
|
|
|
```
|
2021-05-24 00:11:58 +03:00
|
|
|
systemd-nspawn -D $PWD busybox httpd -vfp 8080
|
2021-05-24 00:11:58 +03:00
|
|
|
```
|
|
|
|
|
2021-05-24 00:11:58 +03:00
|
|
|
Usage -- plain old systemd
|
|
|
|
--------------------------
|
2021-05-24 00:11:58 +03:00
|
|
|
|
|
|
|
```
|
2021-05-24 00:11:58 +03:00
|
|
|
systemd-run \
|
|
|
|
--wait --pty --collect --service-type=exec \
|
|
|
|
-p PrivateUsers=true \
|
|
|
|
-p DynamicUser=yes \
|
|
|
|
-p ProtectProc=invisible \
|
|
|
|
-p RootDirectory=$PWD \
|
|
|
|
-- busybox httpd -vfp 8080
|
2021-05-24 00:11:58 +03:00
|
|
|
```
|
|
|
|
|
2021-05-24 00:11:58 +03:00
|
|
|
Good things like `PrivateUsers`, `DynamicUser`, `ProtectProc` and other
|
|
|
|
[systemd protections][1] are available, just like to any systemd unit.
|
2021-05-24 00:11:58 +03:00
|
|
|
|
2021-05-24 00:11:58 +03:00
|
|
|
Notes & gotchas
|
|
|
|
---------------
|
2021-05-24 00:11:58 +03:00
|
|
|
|
2021-05-24 00:11:58 +03:00
|
|
|
`unocker` does not magically enable you to run containers from the internet.
|
2021-05-24 00:11:58 +03:00
|
|
|
Many will need significant tuning or not work at all; one will still need to
|
|
|
|
understand [what's inside](https://xkcd.com/1988/).
|
2021-05-24 00:11:58 +03:00
|
|
|
|
2021-05-24 00:11:58 +03:00
|
|
|
Contributions
|
|
|
|
-------------
|
2021-05-24 00:11:58 +03:00
|
|
|
|
2021-05-24 00:11:58 +03:00
|
|
|
I want this project to be useful for others, but not become a burden for me. If
|
|
|
|
undocker fails for you (for example, you found a container that undocker cannot
|
|
|
|
extract, or extracts incorrectly), **you** are on the hook to triage and fix
|
|
|
|
it.
|
|
|
|
|
|
|
|
Therefore, the following contributions are welcome:
|
|
|
|
|
|
|
|
- Pull rquests (diffs) with accompanying tests.
|
|
|
|
- Documentation.
|
|
|
|
|
|
|
|
Issues without accompanying patches will most likely be rejected, with one
|
|
|
|
exception: reports about regressions do not have to contain patches, but a
|
|
|
|
failing commit is mandatory, and a failing test case is highly appreciated.
|
2021-05-24 00:11:58 +03:00
|
|
|
|
|
|
|
[1]: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
|