stage1: idea of using pure golang unprivileged containers (unc) as execution engine · rkt/rkt#1318

2015-08-21T09:37:23.000Z

just an idea (similar to #1030), we can base on [unc](https://github.com/LK4D4/unc), with great technical explanation in [this](http://lk4d4.darth.io/posts/unpriv1/) blog series pros: - unprivileged (non root required) - pure golang (no c/systemd [nspawn](https://github.com/systemd/systemd/blob/master/src/nspawn/nspawn.c) depedency) - easier to maintain - [existing](https://github.com/LK4D4/unc) implementation (support all namespaces, even network support) cons: - requires go 1.5 - re-implementation systemd machined integration - cgroups missing - capabilities managment missing - overlay/union fs missing

(0 留言) (0 反應) (0 負責人)Go (8,871 star) (865 fork)batch import

component/stage1help wantedkind/enhancementpriority/Pmaybe

描述

just an idea (similar to #1030), we can base on unc, with great technical explanation in this blog series

pros:

unprivileged (non root required)
pure golang (no c/systemd nspawn depedency)
easier to maintain
existing implementation (support all namespaces, even network support)

cons:

requires go 1.5
re-implementation systemd machined integration
cgroups missing
capabilities managment missing
overlay/union fs missing

貢獻者指南

技術棧: go
領域: infrastructure
議題類型: research
難度: 5
預計時間: over 1 week
活動狀態: stale
清晰度: mostly clear
前置要求: Go programmingLinux containersLinux namespacescgroups
新手友善度: 10
研究方向: Explore the unc library (github.com/LK4D4/unc) and its blog series to understand the current unprivileged container implementation. Assess the feasibility of integrating unc as a stage1 executor in rkt by comparing its capabilities (namespaces, network) against rkt's requirements, and identify what needs to be added (cgroups, capabilities, overlay/union fs). The existing unc implementation is a starting point, but lacks features like cgroups and capabilities management that would need to be implemented.