#runtime #sandbox #container #embeddable #experimental #nest

yanked bandsocks-runtime

Experimental embeddable container sandbox (not working yet)

0.1.0 Oct 6, 2020

Apache-2.0 OR MIT


πŸ…±οΈπŸ§¦ bandsocks

it's a sandbox!

it's a container runtime!

it's designed to nest inside unprivileged docker containers!

it's highly experimental and doesn't actually work yet!

🎢 🎹🧦 🎸🧦 🎸🧦 🎷🧦 🎺🧦 πŸ₯πŸ§¦ 🎢

Docs Crates.io Build Status

Takes inspiration from User Mode Linux, gvisor, and podman. The goal is to add an extra level of isolation to compute workloads we run as non-root within containers which are already somewhat locked down. This means that most high-powered kernel features like KVM and even user namespaces are off the table. The approach this project uses is based on seccomp to restrict system calls, and an emulated filesystem.

The intended API for this package is fairly high-level:

  • download/unpack docker images into an emulated filesystem
  • attach streams to emulated files for I/O
  • run commands in the container

Non-goals include storage and networking. Networking will be fully disabled, and the virtual filesystem will be mostly in an immutable ramdisk made from images downloaded through a regsitry. Complete syscall support is also not a priority, as long as it can run computational workloads like media codecs.


~392K SLoC