| internal/tartest | ||
| rootfs | ||
| BUILD | ||
| main_test.go | ||
| main.go | ||
| README.md | ||
| rules.bzl | ||
Undocker
Converts a Docker image (a bunch of layers) to a flattened "rootfs" tarball.
Why?
Docker images became a popular way to distribute applications with their dependencies. However, Docker itself is not the best runtime environment. At least not for everyone.
Undocker bridges the gap between application images (in docker image format) and container runtimes: now you can run a Docker image with old-fashioned tools: lxc, systemd-nspawn or systemd itself.
Usage -- extract docker image
Download nginx docker image from docker hub and convert it to a rootfs:
skopeo copy docker://docker.io/busybox:latest docker-archive:busybox.tar
undocker rootfs busybox.tar - | tar -xv
Almost the same can be done with a combination of docker pull and docker save.
Usage -- systemd-nspawn example
Start with systemd-nspawn:
systemd-nspawn -D $PWD busybox httpd -vfp 8080
Usage -- plain old systemd
systemd-run \
--wait --pty --collect --service-type=exec \
-p PrivateUsers=true \
-p DynamicUser=yes \
-p ProtectProc=invisible \
-p RootDirectory=$PWD \
-- busybox httpd -vfp 8080
Good things like PrivateUsers, DynamicUser, ProtectProc and other
systemd protections are available, just like to any systemd unit.
Notes & gotchas
unocker does not magically enable you to run containers from the internet. In
fact, many will need significant tuning or not work at all. Thus you will still
need to understand what are you running.
Contributions
I will accept pull request for code (including tests) and documentation. I am unlikely to react to issue reports without a patch.