/nosecone

An experimental App Container Executor in C++

Primary LanguageC++Apache License 2.0Apache-2.0

Nose Cone

Not actively worked on

Overview

Nose Cone is a C++ App Container implementation that uses the libappc App Container library.

Getting Started

Requires functional std::regex (If using gcc, >= 4.9)

  1. Bootstrap it (download and build dependencies): ./bootstrap.sh
  2. Build Nose Cone (nscn): ./build.sh
  3. Run ./bin/nscn help

Example (run)

nscn run is not complete, however it will perform simple discovery, cache images locally, validate them, create a rootfs, and execute the app inside a new app container.

nosecone.net/example/test is an existing example app, the following example should work (-stdout reads the app container's pty and writes to stdout):

$ sudo ./bin/nscn run -stdout nosecone.net/example/test
Resolved: nosecone.net/example/test -> file:///tmp/nosecone/images/nosecone.net/example/test-1.0.0-linux-amd64.aci
Using: file:///tmp/nosecone/images/nosecone.net/example/test-1.0.0-linux-amd64.aci
Validated: test-1.0.0-linux-amd64.aci OK
Dependency: nosecone.net/example/test requires nosecone.net/example/tinycentos7
Resolved: nosecone.net/example/tinycentos7 -> file:///tmp/nosecone/images/nosecone.net/example/tinycentos7-1.0.0-linux-amd64.aci
Using: file:///tmp/nosecone/images/nosecone.net/example/tinycentos7-1.0.0-linux-amd64.aci
Validated: tinycentos7-1.0.0-linux-amd64.aci OK
Container ID: 08f2d475-cf46-4398-a820-ddcd9e59ba0e
Created root file system: /tmp/nosecone/containers/08f2d475-cf46-4398-a820-ddcd9e59ba0e/rootfs
Container started, PID: 9238
--- 8< ---
Hello World!
---
1706857    4 drwxrwxr-x   9 0        0            4096 Feb 17 18:59 /
      1    0 dr-xr-xr-x  13 0        0               0 Nov  2 01:31 /sys
1706862    4 drwxrwxr-x   2 0        0            4096 Feb 13 21:34 /lib64
2383636    0 drwxr-xr-x   3 0        0             120 Feb 17 18:59 /dev
1706858    4 drwxrwxr-x   6 0        0            4096 Feb 17 18:59 /usr
1706921    4 drwxrwxr-x   2 0        0            4096 Feb 16 23:50 /etc
      1    0 dr-xr-xr-x 107 0        0               0 Feb 17 18:59 /proc
1706934    0 -rw-r--r--   1 500      500             0 Feb 17 18:59 /hello_world
1706922    4 drwxrwxr-x   2 0        0            4096 Feb 13 06:52 /bin
---
uid=500 gid=500 groups=0
---
TERM=xterm-256color
SHELL=/bin/bash
WE_ARE_TESTING=true
USER=500
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/
SHLVL=1
HOME=/
LOGNAME=500
_=/usr/bin/env
---
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
500          1  0.0  0.1   9512  2576 pts/3    Ss+  18:59   0:00 /bin/bash /usr/local/bin/test
500         16  0.0  0.0  17648   636 pts/3    R+   18:59   0:00 /bin/ps axufw


$ ./bin/nscn list
Container ID                           Created Date            PID     Has PTY Status
02bf6bf2-a624-43ec-b30a-1f41f4c8ead3   2015-02-20T06:58:07.0Z    18036    true EXITED
40c1c0ea-9c71-43fd-bb29-2f3304c8a18e   2015-02-20T08:09:18.0Z    19097    true RUNNING
d7ed46a5-ed02-45e0-92bf-634793a3949c   2015-02-20T08:48:36.0Z    20101    true RUNNING
58e4ae04-073b-4b8b-95fe-08ac1b19f10b   2015-02-20T08:35:09.0Z    19738    true RUNNING

Status

Very early, experimental development. Based on appc specification ~ 0.2.0 (this will converge)

Commands implemented (this means exists at all, not finished):

  • enter - Enter a running app container.
  • fetch - Fetches an image and stores it locally.
  • gc - Expunge spent app containers.
  • list - List app containers.
  • run - Fetch and execute an app container.
  • status - Display the status of an app container.
  • validate - Validate an app container image.

Executor implementation status (list not complete):

  • run
    • Fetch image using simple discovery.
    • Fetch image using meta discovery on fall-back.
    • Verify signature of images.
    • Cache image locally.
    • Inspect image for dependencies and fetch them.
    • Overlay images' rootfs onto app container root file system.
    • Create pseudo-terminal.
    • Create new mount, IPC, PID, and UTS namespace.
    • Create new network namespace.
    • Create /proc
    • Create /proc/sys
    • Create /dev as tmpfs
    • Create /dev/pts
    • Create /tmp tmpfs
    • Create common / needed device nose.
    • Set seccomp
    • Bind mount RW volumes.
    • Bind mount RO volumes.
    • Drop capabilities.
    • Configure CGroups.
    • Set locale?
    • Set timezone?
    • Set resolve.conf
    • Set hostname (but needs plumbing)
    • Set up network
    • Set umask
    • Set UID/GID
    • Set environment (defaults + manifest only)
    • Execute pre-start hook.
    • Execute app.
    • Execute post-stop hook.
  • meta-data service

License

Nose Cone is licensed under the Apache License, Version 2.0.