[Lxc-users] Introducing "dive" project

vi0oss vi0oss at gmail.com
Fri Mar 15 18:59:00 UTC 2013


When playing with unshare and LXC, I found that it is easy to start one 
program in a detached namespace, but starting more programs in the same 
namespace is not that easy. As far as I know, usually heavyweight 
approach with virtual network and SSH is used and programs started 
inside containers like on the remote host; while I wanted just something 
like:

unshare -n one_program
unshare -n --network-namespace-of `pidof one_program` other_program

This is not available, so I implemented dived and dive: you start 
"dived" inside a container and use "dive" that connects to the UNIX 
socket from outside (the socket should be on some filesystem shared 
between container and host) to start your program inside, like "diving" 
into the namespace. This is especially useful when you don't want to run 
a fully-fledged system with networking, daemons, etc., but want to 
introduce only some aspects of containers.

Now it supports various options for starting programs (changing 
user/group, capabilities/securebits, chrooting, starting external 
program for authentication), you can control what should be preserved 
(argv, environment, FDs, root directory).

It can also work as simple sudo, chroot, unshare, daemon, capsh. The 
goal is "to start programs in various ways, like 'socat' using sockets 
in various ways". There is less featureful (less bloated) version in 
"nocreep" branch.

Usage examples and downloads: http://vi.github.com/dive/
Github: https://github.com/vi/dive

There are source and binary deb packages available.

Do you find the project useful? Are there any suggestions?




More information about the lxc-users mailing list