Deployment tool for "Dockerless" microcontainers based on [systemd-nspawn], with a focus on security, simplicity, and low-overhead. Written in Rust.
canister?This tool is designed for deploying applications which are released as
self-contained binaries which are statically linked or dynamically linked
with minimal dependencies (e.g. ld-linux, libc, libpthread). This makes it
ideally suited for applications developed in languages like Go and Rust, as these
languages toolchains and ecosystems make it easy to produce statically linked
binaries (e.g. Go is statically linked by default, Rust is simple to link with
[musl] for release artifacts).
It aims to provide an out-of-the box secure systemd-nspawn deployment
tool with support for RedHat-derived Linux distros (namely [CentOS]) as well as
support for [SELinux]), and in the process hopefully addressing concerns about
systemd-nspawn's security and production-readiness. It may work on other Linux
distros but is developed and tested on CentOS.
Supported release artifact formats are tarballs and [Docker scratch]-based
images (i.e. single-layer only) containing the compiled binaries, as fetched
from a Docker registry (in the form of a tarball).
Our (as in [@iqlusioninc]'s) internal use of this tool is primarily
with a Docker scratch-based workflow using a Docker-based build system
(namely [GCP Cloud Build]).
Copyright © 2018 iqlusion
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.