「 须臾水面明月出,沧江万顷瑠璃寒 」
You can get ruri binary (statically linked) for arm64, armv7, riscv64 and x86_64 devices in Release.
Warning
ruri should always be executed with root privileges(sudo), and do not set SUID or any capability on it!
* Your warranty is void.
* I am not responsible for anything that may happen to your device by using this program.
* You do it at your own risk and take the responsibility upon yourself.
* This program has no Super Cow Powers.
“Bugs will happen, if they don’t happen in hardware, they will happen in software and if they don’t happen in your software and they will happen in somebody else’s software.”
--Torvalds
If you think something does not work as expected, please Open a new isssue
ruri is pronounced as luli, or you can call it 瑠璃 in Chinese or Japanese as well.
ruri is acronym to Lightweight, User-friendly Linux-container Implementation. It's designed to provide better security for Linux containers on devices that do not support docker.
- Simple:
The basic usage is very very simple, you can use it just like the commandchroot. - Secure:
Ruri focus on security, with many protections. - Run Everywhere:
The binary is very small, only about 1M, and you can also useupxto make it less than 500k, so it can be run anywhere even if the storage is tight.
git clone https://github.com/Moe-hacker/ruri
cd ruri
./configure -s
make
sudo cp ruri /usr/bin/ruri
Usage: ./configure [OPTION]...
-h, --help show help
-s, --static compile static binary
-d, --dev compile dev version
ruri 3.3
Lightweight, User-friendly Linux-container Implementation
Usage:
ruri [OPTIONS]...
ruri [ARGS]... [CONTAINER_DIRECTORY]... [COMMAND [ARGS]...]
OPTIONS:
-v, --version .......................: Show version info
-V, --version-code ..................: Show version code
-h, --help ..........................: Show helps
-H, --show-examples .................: Show commandline examples
-U, --umount [container_dir] ........: Umount a container
ARGS:
-D, --dump-config ...................: Dump the config
-o, --output [config file] ..........: Set output file of `-D` option
-c, --config [config file] ..........: Use config file
-a, --arch [arch] ...................: Simulate architecture via binfmt_misc/QEMU (*)
-q, --qemu-path [path] ..............: Specify the path of QEMU
-u, --unshare .......................: Enable unshare feature
-n, --no-new-privs ..................: Set NO_NEW_PRIVS flag
-N, --no-rurienv ....................: Do not use .rurienv file
-s, --enable-seccomp ................: Enable built-in Seccomp profile
-p, --privileged ....................: Run privileged container
-r, --rootless ......................: Run rootless container (WIP)
-k, --keep [cap] ....................: Keep the specified capability
-d, --drop [cap] ....................: Drop the specified capability
-e, --env [env] [value] .............: Set environment variables to its value (**)
-m, --mount [dir/dev/img] [dir] .....: Mount dir/block-device/image to mountpoint (***)
-M, --ro-mount [dir/dev/img] [dir] ..: Mount dir/block-device/image as read-only
-S, --host-runtime ..................: Bind-mount /dev/, /sys/ and /proc/ from host
-R, --read-only .....................: Mount / as read-only
-l, --limit [cpuset=cpu/memory=mem] .: Set cpuset/memory limit(****)
-w, --no-warnings ...................: Disable warnings
Note:
(*) : `-a` option also need `-q` is set
(**) : Will not work if [COMMAND [ARGS]...] is like `/bin/su -`
(***) : You can use `-m [source] /` to mount a block device as root
(****): Each `-l` option can only set one of the cpuset/memory limits
for example: `ruri -l memory=1M -l cpuset=1 /test`
git clone https://github.com/Moe-hacker/rootfstool
cd rootfstool
./rootfstool download -d alpine -v edge
mkdir /tmp/alpine
sudo tar -xvf rootfs.tar.xz -C /tmp/alpine
sudo ruri /tmp/alpine
For unshare container:
sudo ruri -u /tmp/alpine
Very simple as you can see.
For command line examples, please see ruri -H.
# Run chroot container:
sudo ruri /tmp/alpine
# Very simple as you can see.
# About the capabilities:
# Run privileged chroot container:
sudo ruri -p /tmp/alpine
# If you want to run privileged chroot container,
# but you don't want to give the container cap_sys_chroot privileges:
sudo ruri -p -d cap_sys_chroot /tmp/alpine
# If you want to run chroot container with common privileges,
# but you want cap_sys_admin to be kept:
sudo ruri -k cap_sys_admin /tmp/alpine
# About unshare:
# Unshare container's capability options are same with chroot.
# Run unshare container:
sudo ruri -u /tmp/alpine
# Umount the container:
sudo ruri -U /tmp/alpine
License of code:
- Licensed under the MIT License
- Copyright (c) 2022-2024 Moe-hacker
License of clang-format config file:
- GPL-2.0
「 咲誇る花 美しく、
散り行く運命 知りながら、
僅かな時の彩を 」
(>_×)