[Lxc-users] Introducing "dive" project
vi0oss
vi0oss at gmail.com
Fri Mar 15 18:59:00 UTC 2013
When playing with unshare and LXC, I found that it is easy to start one
program in a detached namespace, but starting more programs in the same
namespace is not that easy. As far as I know, usually heavyweight
approach with virtual network and SSH is used and programs started
inside containers like on the remote host; while I wanted just something
like:
unshare -n one_program
unshare -n --network-namespace-of `pidof one_program` other_program
This is not available, so I implemented dived and dive: you start
"dived" inside a container and use "dive" that connects to the UNIX
socket from outside (the socket should be on some filesystem shared
between container and host) to start your program inside, like "diving"
into the namespace. This is especially useful when you don't want to run
a fully-fledged system with networking, daemons, etc., but want to
introduce only some aspects of containers.
Now it supports various options for starting programs (changing
user/group, capabilities/securebits, chrooting, starting external
program for authentication), you can control what should be preserved
(argv, environment, FDs, root directory).
It can also work as simple sudo, chroot, unshare, daemon, capsh. The
goal is "to start programs in various ways, like 'socat' using sockets
in various ways". There is less featureful (less bloated) version in
"nocreep" branch.
Usage examples and downloads: http://vi.github.com/dive/
Github: https://github.com/vi/dive
There are source and binary deb packages available.
Do you find the project useful? Are there any suggestions?
More information about the lxc-users
mailing list