Skip to content

A simple yet powerful tool to turn traditional container/OS images into unprivileged sandboxes.

License

Notifications You must be signed in to change notification settings

pedrosalgueiro/enroot

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ENROOT

A simple, yet powerful tool to turn traditional container/OS images into unprivileged sandboxes.

Enroot can be thought of as an enhanced unprivileged chroot(1). It uses the same underlying technologies as containers but removes much of the isolation they inherently provide while preserving filesystem separation.

This approach is generally preferred in high-performance environments or virtualized environments where portability and reproducibility is important, but extra isolation is not warranted.

Enroot is also similar to other tools like proot(1) or fakeroot(1) but instead relies on more recent features from the Linux kernel (i.e. user and mount namespaces), and provides facilities to import well known container image formats (e.g. Docker).

Usage example:

# Import and start an Ubuntu image from DockerHub
$ enroot import docker://ubuntu
$ enroot create ubuntu.sqsh
$ enroot start ubuntu

Key Concepts

  • Adheres to the KISS principle and Unix philosophy
  • Standalone (no daemon)
  • Fully unprivileged and multi-user capable (no setuid binary, cgroup inheritance, per-user configuration/container store...)
  • Easy to use (simple image format, scriptable, root remapping...)
  • Little to no isolation (no performance overhead, simplifies HPC deployements)
  • Entirely composable and extensible (system-wide and user-specific configurations)
  • Fast Docker image import (3x to 5x speedup on large images)
  • Built-in GPU support with libnvidia-container
  • Facilitate collaboration and development workflows (bundles, in-memory containers...)

Documentation

  1. Requirements
  2. Installation
  3. Image format
  4. Configuration
  5. Standard Hooks
  6. Usage

Copyright and License

This project is released under the Apache License 2.0.

Issues and Contributing

Reporting Security Issues

When reporting a security issue, do not create an issue or file a pull request.
Instead, disclose the issue responsibly by sending an email to psirt<at>nvidia.com.

About

A simple yet powerful tool to turn traditional container/OS images into unprivileged sandboxes.

Resources

License

Security policy

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Shell 56.7%
  • C 39.8%
  • Makefile 3.5%