undocker/README.md

80 lines
2.2 KiB
Markdown
Raw Normal View History

2021-05-24 00:11:58 +03:00
Undocker
--------
2021-05-24 00:11:58 +03:00
Converts a Docker image (a bunch of layers) to a flattened "rootfs" tarball.
2021-05-24 00:11:58 +03:00
Why?
2021-05-24 00:11:58 +03:00
----
2021-05-24 00:11:58 +03:00
2021-05-24 00:11:58 +03:00
Docker images became a popular way to distribute applications with their
dependencies. However, Docker itself is not the best runtime environment. At
least not for everyone.
2021-05-24 00:11:58 +03:00
2021-05-24 00:11:58 +03:00
Undocker bridges the gap between application images (in docker image format)
2021-05-24 00:11:58 +03:00
and container runtimes: now you can run a Docker image with old-fashioned
tools: lxc, systemd-nspawn or systemd itself.
2021-05-24 00:11:58 +03:00
Usage -- extract docker image
-----------------------------
2021-05-24 00:11:58 +03:00
Download `busybox` docker image from docker hub and convert it to a rootfs:
2021-05-24 00:11:58 +03:00
2021-05-24 00:11:58 +03:00
```
2021-05-24 00:11:58 +03:00
skopeo copy docker://docker.io/busybox:latest docker-archive:busybox.tar
2021-05-24 00:11:58 +03:00
undocker busybox.tar - | tar -xv
2021-05-24 00:11:58 +03:00
```
2021-05-24 00:11:58 +03:00
Almost the same can be done with a combination of `docker pull` and `docker
save`.
2021-05-24 00:11:58 +03:00
2021-05-24 00:11:58 +03:00
Usage -- systemd-nspawn example
-------------------------------
2021-05-24 00:11:58 +03:00
Start with systemd-nspawn:
2021-05-24 00:11:58 +03:00
2021-05-24 00:11:58 +03:00
```
2021-05-24 00:11:58 +03:00
systemd-nspawn -D $PWD busybox httpd -vfp 8080
2021-05-24 00:11:58 +03:00
```
2021-05-24 00:11:58 +03:00
Usage -- plain old systemd
--------------------------
2021-05-24 00:11:58 +03:00
```
2021-05-24 00:11:58 +03:00
systemd-run \
--wait --pty --collect --service-type=exec \
-p PrivateUsers=true \
-p DynamicUser=yes \
-p ProtectProc=invisible \
-p RootDirectory=$PWD \
-- busybox httpd -vfp 8080
2021-05-24 00:11:58 +03:00
```
2021-05-24 00:11:58 +03:00
Good things like `PrivateUsers`, `DynamicUser`, `ProtectProc` and other
[systemd protections][1] are available, just like to any systemd unit.
2021-05-24 00:11:58 +03:00
2021-05-24 00:11:58 +03:00
Notes & gotchas
---------------
2021-05-24 00:11:58 +03:00
2021-05-24 00:11:58 +03:00
`unocker` does not magically enable you to run containers from the internet.
2021-05-24 00:11:58 +03:00
Many will need significant tuning or not work at all; one will still need to
understand [what's inside](https://xkcd.com/1988/).
2021-05-24 00:11:58 +03:00
2021-05-24 00:11:58 +03:00
Contributions
-------------
2021-05-24 00:11:58 +03:00
2021-05-24 00:11:58 +03:00
I want this project to be useful for others, but not become a burden for me. If
undocker fails for you (for example, you found a container that undocker cannot
extract, or extracts incorrectly), **you** are on the hook to triage and fix
it.
Therefore, the following contributions are welcome:
- Pull rquests (diffs) with accompanying tests.
- Documentation.
Issues without accompanying patches will most likely be rejected, with one
exception: reports about regressions do not have to contain patches, but a
failing commit is mandatory, and a failing test case is highly appreciated.
2021-05-24 00:11:58 +03:00
[1]: https://www.freedesktop.org/software/systemd/man/systemd.exec.html