it's a sandbox!
it's a container runtime!
it's designed to nest inside unprivileged docker containers!
it's highly experimental and doesn't actually work yet!
🎶 🎹🧦 🎸🧦 🎸🧦 🎷🧦 🎺🧦 🥁🧦 🎶
Takes inspiration from User Mode Linux, gvisor, and podman. The goal is to add an extra level of isolation to compute workloads we run as non-root within containers which are already somewhat locked down. This means that most high-powered kernel features like KVM and even user namespaces are off the table. The approach this project uses is based on seccomp to restrict system calls, and an emulated filesystem.
The intended API for this package is fairly high-level:
- download/unpack docker images into an emulated filesystem
- attach streams to emulated files for I/O
- run commands in the container
Non-goals include storage and networking. Networking will be fully disabled, and the virtual filesystem will be mostly in an immutable ramdisk made from images downloaded through a regsitry. Complete syscall support is also not a priority, as long as it can run computational workloads like media codecs.