Skip to content

/enroot

A simple yet powerful tool to turn traditional container/OS images into unprivileged sandboxes.
Shell C Makefile
  1. Shell 64.4%
  2. C 31.8%
  3. Makefile 3.8%
Branch: master
Find file
Clone or download

Clone with HTTPS

Use Git or checkout with SVN using the web URL.

Open in Desktop Download ZIP

Launching GitHub Desktop...

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop...

If nothing happens, download GitHub Desktop and try again.

Launching Xcode...

If nothing happens, download Xcode and try again.

Launching Visual Studio...

If nothing happens, download the GitHub extension for Visual Studio and try again.

@3XX0
3XX0 Release v2.1.0
Latest commit 1e80711 Oct 17, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
bin Fix compilation on RHEL7 Oct 17, 2019
conf Be more pedantic on the libraries we should exclude in the mellanox hook Oct 15, 2019
deps Add ARM64 support Oct 15, 2019
doc Release v2.1.0 Oct 17, 2019
pkg Release v2.1.0 Oct 17, 2019
src Fix potential race in case of parallel import Oct 15, 2019
.gitignore Update gitignore Jul 18, 2019
.gitmodules Build libbsd from source Apr 4, 2019
CONTRIBUTING.md Switch from BSD-3 to Apache-2 + DCO Aug 27, 2019
LICENSE Switch from BSD-3 to Apache-2 + DCO Aug 27, 2019
Makefile Release v2.1.0 Oct 17, 2019
README.md
SECURITY.md Create SECURITY.md Jul 12, 2019
enroot.in Add support for specifying the maximum number of concurrent connections Oct 15, 2019

README.md

ENROOT

A simple, yet powerful tool to turn traditional container/OS images into unprivileged sandboxes.

Enroot can be thought of as an enhanced unprivileged chroot(1). It uses the same underlying technologies as containers but removes much of the isolation they inherently provide while preserving filesystem separation.

This approach is generally preferred in high-performance environments or virtualized environments where portability and reproducibility is important, but extra isolation is not warranted.

Enroot is also similar to other tools like proot(1) or fakeroot(1) but instead relies on more recent features from the Linux kernel (i.e. user and mount namespaces), and provides facilities to import well known container image formats (e.g. Docker).

Usage example:

# Import and start an Ubuntu image from DockerHub
$ enroot import docker://ubuntu
$ enroot create ubuntu.sqsh
$ enroot start ubuntu

Key Concepts

  • Adheres to the KISS principle and Unix philosophy
  • Standalone (no daemon)
  • Fully unprivileged and multi-user capable (no setuid binary, cgroup inheritance, per-user configuration/container store...)
  • Easy to use (simple image format, scriptable, root remapping...)
  • Little to no isolation (no performance overhead, simplifies HPC deployements)
  • Entirely composable and extensible (system-wide and user-specific configurations)
  • Fast Docker image import (3x to 5x speedup on large images)
  • Built-in GPU support with libnvidia-container
  • Facilitate collaboration and development workflows (bundles, in-memory containers...)

Documentation

  1. Requirements
  2. Installation
  3. Image format
  4. Configuration
  5. Standard Hooks
  6. Usage

Copyright and License

This project is released under the Apache License 2.0.

It bundles libbsd, which is available under a dual "3-clause BSD" and "ISC" license as well as makeself, which is available under a "GNU General Public License v2.0" license.
For details, see deps/libbsd/ and deps/makeself/.

Issues and Contributing

Reporting Security Issues

When reporting a security issue, do not create an issue or file a pull request.
Instead, disclose the issue responsibly by sending an email to psirt<at>nvidia.com.

You can’t perform that action at this time.