Bento is a container implementation written in Rust.
It supports the following features:
- New root filesystem via
pivot_rootandumount2 - New cgroup, IPC, network, mount, PID, UTS, and user (if supported) namespaces
- Settable UID/GID within container, with allowed UIDs from
/etc/subuidand GIDs from/etc/subgid - cgroup v2 restrictions on memory, PIDs, and CPU shares
- rlimit restriction on file descriptors
- Capabilities dropped to control privileges
- Seccomp BPF filter to restrict syscalls
It also uses the lddtree crate to automatically find the necessary .so files needed to run a given command by parsing its ELF header.
TODO
- Fix networking inside the container
- Linux containers in 500 lines of code by Lizzie Dixon
- Writing a container in Rust by Litchi Pi
- Namespaces in operation by Michael Kerrisk
- Digging into Linux namespaces part 1 and part 2 by Mihail Kirov