3.2 KiB
Undocker
Converts a Docker image (a bunch of layers) to a flattened "rootfs" tarball.
Why?
Docker images became a popular way to distribute applications with their dependencies; however, Docker is not the best runtime environment. At least not for everyone. May boring technology run our software.
Undocker bridges the gap between application images (in docker image format) and application isolation ("container") runtimes: once the docker image is extracted, it can be run with old-fashioned tools: lxc, systemd-nspawn, systemd, FreeBSD Jails, and many others.
Undocker has no dependencies outside Golang stdlib.
Installation
We recommend using officially released binaries. To build the project instead, run:
$ make undocker
The number of officially released binaries is quite limited. If you'd like me to expand a list, please contribute a patch to the Makefile.
Usage: convert docker image to rootfs
Download busybox
docker image from docker hub and convert it to a rootfs:
$ skopeo copy docker://docker.io/busybox:latest docker-archive:busybox.tar
$ undocker busybox.tar - | tar -xv | sponge | head -10; echo '<...>'
bin/
bin/[
bin/[[
bin/acpid
bin/add-shell
bin/addgroup
bin/adduser
bin/adjtimex
bin/ar
bin/arch
<...>
Refer here for other ways to download Docker images. There are many.
On author's laptop converting a 1.1GB Docker image with 77 layers takes around 3 seconds and uses ~65MB of residential memory.
Usage example: systemd-nspawn
Start with systemd-nspawn:
systemd-nspawn -D $PWD busybox httpd -vfp 8080
Usage example: plain old systemd
systemd-run \
--wait --pty --collect --service-type=exec \
-p PrivateUsers=true \
-p DynamicUser=yes \
-p ProtectProc=invisible \
-p RootDirectory=$PWD \
-- busybox httpd -vfp 8080
Good things like PrivateUsers
, DynamicUser
, ProtectProc
and other
systemd protections are available, just like to any systemd unit.
Similar Projects
Changelog
v1.0
- initial release:
rootfs.Flatten
and a simple command-line application.
Contributions
The following contributions may be accepted:
- Pull requests (patchsets) with accompanying tests.
- Regression reports.
If you found a container that undocker cannot extract, or extracts incorrectly and you need this that work with undocker, do not submit an issue: submit a patchset.
Reports of regression reports must provide examples of "works before" and "does not work after". Issues without an accompanying patch will most likely be rejected.
LICENSE
MIT