convert docker images to rootfs
Go to file
Motiejus Jakštys 4408a9e005 rootfs: remove ./ prefix from filenames
I've seen a container (private one) whose filenames start with ./, but
the layer name does not have the prefix, causing undocker to fail.

Let's always normalize the names to not have the prefix.
2022-06-09 14:22:21 +03:00
rootfs rootfs: remove ./ prefix from filenames 2022-06-09 14:22:21 +03:00
.build.yml [ci] merge test and lint steps to one 2021-09-29 14:45:53 +03:00
.gitignore add WithFilePrefix 2021-08-29 16:55:32 +03:00
go.mod revert go.mod 2021-06-01 09:08:47 +03:00
LICENSE add license 2021-05-24 00:11:58 +03:00
main_test.go Revert "add WithFilePrefix" 2021-08-29 18:40:11 +03:00
main.go Revert "add WithFilePrefix" 2021-08-29 18:40:11 +03:00
Makefile remove unnecessary support for prebuilt binaries 2021-09-29 14:30:18 +03:00
README.md remove references to 'official' binaries 2021-09-27 19:08:04 +03:00
release remove unnecessary support for prebuilt binaries 2021-09-29 14:30:18 +03:00

godocs.io builds.sr.ht status

Undocker

Converts a Docker image (a bunch of layers) to a flattened "rootfs" tarball.

Why?

Docker images became a popular way to distribute applications with their dependencies; however, Docker is not the best runtime environment. At least not for everyone. May boring technology run our software.

Undocker bridges the gap between application images (in docker image format) and application isolation ("container") runtimes: once the docker image is extracted, it can be run with old-fashioned tools: lxc, systemd-nspawn, systemd, FreeBSD Jails, and many others.

Installation

Build it like this for the "current" platform:

$ make undocker

make -B will print the extra flags (-X <...>) for cross-compiling with other archs. It's all go build <...> in the back, and depends only on Go's compiler and stdlib.

Usage: convert docker image to rootfs

Download busybox docker image from docker hub and convert it to a rootfs:

$ skopeo copy docker://docker.io/busybox:latest docker-archive:busybox.tar
$ undocker busybox.tar - | tar -xv | sponge | head -10; echo '<...>'
bin/
bin/[
bin/[[
bin/acpid
bin/add-shell
bin/addgroup
bin/adduser
bin/adjtimex
bin/ar
bin/arch
<...>

Refer here for other ways to download Docker images. There are many.

On author's laptop converting a 1.1GB Docker image with 77 layers takes around 3 seconds and uses ~65MB of residential memory.

Usage example: systemd

systemd-run \
  --wait --pty --collect --service-type=exec \
  -p RootDirectory=$PWD \
  -p ProtectProc=invisible \
  -p PrivateUsers=true \
  -p DynamicUser=yes \
  -- busybox httpd -vfp 8080

Systemd protections like PrivateUsers, DynamicUser, ProtectProc and others are available, just like to any systemd unit.

Similar Projects

Changelog

v1.0

  • initial release: rootfs.Flatten and a simple command-line application.

Contributions

The following contributions may be accepted:

  • Patchsets, with accompanying tests.
  • Regression reports.

If you found a container that undocker cannot extract, or extracts incorrectly and you need this that work with undocker, do not submit an issue: submit a patchset.

Reports of regression reports must provide examples of "works before" and "does not work after". Issues without an accompanying patch will most likely be rejected.

Communication

Use ~motiejus/undocker@lists.sr.ht for questions or patches. Subscribe here.

LICENSE

MIT