「 须臾水面明月出,沧江万顷瑠璃寒 」
* Your warranty is void.
* I am not responsible for anything that may happen to your device by using this program.
* You do it at your own risk and take the responsibility upon yourself.
* This program has no Super Cow Powers.
“Bugs will happen, if they don’t happen in hardware, they will happen in software and if they don’t happen in your software and they will happen in somebody else’s software.”
--Torvalds
If you think something does not work as expected, please Open a new isssue
ruri is pronounced as luli
, or you can call it 瑠璃
in Chinese or Japanese as well.
ruri is the romaji acronym of Lightweight, User-friendly Linux-container Implementation. It's designed to provide better security for Linux containers on devices that do not support docker.
- Simple:
The basic usage is very very simple, you can use it just like the commandchroot
. - Secure:
It uses libcap and libseccomp for security, and most devices in /dev will never be reached in containers by default. - Run Everywhere:
Build ruri withmake static
, it will be compiled as a small binary file(~1M), but it can be run anywhere without dependent libraries.
git clone https://github.com/Moe-hacker/ruri
cd ruri
sudo make install
See make help
.
See ruri -h
git clone https://github.com/Moe-hacker/rootfstool
cd rootfstool
./rootfstool download -d alpine -v edge
mkdir /tmp/alpine
sudo tar -xvf rootfs.tar.xz -C /tmp/alpine
sudo ruri /tmp/alpine
For unshare container:
sudo ruri -u /tmp/alpine
Very simple as you can see.
For command line examples, please see ruri -H
.
The command tty
in ruri might say that "not a tty".
If you need to run some program like gpg
, please use script -q -O /dev/null
in container.
ruri will create /dev/, /sys/ and /proc/ after chroot(2) into container for better security. You can use -S
option to force it to bind-mount system runtime dirs.
It needs CONFIG_BINFMT_MISC enabled in your kernel config.
You need to copy qemu-*-static to your container first.
The path of qemu is the absolute path of qemu binary in the chroot container, for example, you have a qemu binary at /path/to/container/qemu-amd64-static
, use -a x86_64 -q /qemu-amd64-static
arguments to start the container.
It requires user namespace enabled in your kernel config.
It's a very useless function. Ruri creates a new user namespace and run chroot(2) in it, but without any real privileges, it can not even mount /proc /dev and /sys.
Adding CAP_SYS_ADMIN can not fix any problems, so just do not use this function.
The seccomp rule of ruri is based on Docker's default seccomp profile. ruri does not provide the way to change it, but you can edit src/seccomp.c and replace setup_seccomp() with your own config.
License of code:
- Licensed under the MIT License
- Copyright (c) 2022-2024 Moe-hacker
License of clang-format config file:
- GPL-2.0
「 咲誇る花 美しく、
散り行く運命 知りながら、
僅かな時の彩を 」
(>_×)