undocker/README.md

3.2 KiB

godocs.io builds.sr.ht status

Undocker

Converts a Docker image (a bunch of layers) to a flattened "rootfs" tarball.

Why?

Docker images became a popular way to distribute applications with their dependencies; however, Docker is not the best runtime environment. At least not for everyone. May boring technology run our software.

Undocker bridges the gap between application images (in docker image format) and application isolation ("container") runtimes: once the docker image is extracted, it can be run with old-fashioned tools: lxc, systemd-nspawn, systemd, FreeBSD Jails, and many others.

Undocker has no dependencies outside Golang stdlib.

Installation

We recommend using officially released binaries. To build the project instead, run:

$ make undocker

The number of officially released binaries is quite limited. If you'd like me to expand a list, please contribute a patch to the Makefile.

Usage: convert docker image to rootfs

Download busybox docker image from docker hub and convert it to a rootfs:

$ skopeo copy docker://docker.io/busybox:latest docker-archive:busybox.tar
$ undocker busybox.tar - | tar -xv | sponge | head -10; echo '<...>'
bin/
bin/[
bin/[[
bin/acpid
bin/add-shell
bin/addgroup
bin/adduser
bin/adjtimex
bin/ar
bin/arch
<...>

Refer here for other ways to download Docker images. There are many.

On author's laptop converting a 1.1GB Docker image with 77 layers takes around 3 seconds and uses ~65MB of residential memory.

Usage example: systemd-nspawn

Start with systemd-nspawn:

systemd-nspawn -D $PWD busybox httpd -vfp 8080

Usage example: plain old systemd

systemd-run \
  --wait --pty --collect --service-type=exec \
  -p PrivateUsers=true \
  -p DynamicUser=yes \
  -p ProtectProc=invisible \
  -p RootDirectory=$PWD \
  -- busybox httpd -vfp 8080

Good things like PrivateUsers, DynamicUser, ProtectProc and other systemd protections are available, just like to any systemd unit.

Similar Projects

Changelog

v1.0

  • initial release: rootfs.Flatten and a simple command-line application.

Contributions

The following contributions may be accepted:

  • Pull requests (patchsets) with accompanying tests.
  • Regression reports.

If you found a container that undocker cannot extract, or extracts incorrectly and you need this that work with undocker, do not submit an issue: submit a patchset.

Reports of regression reports must provide examples of "works before" and "does not work after". Issues without an accompanying patch will most likely be rejected.

LICENSE

MIT