Build Your Own Docker with Linux Namespaces, Cgroups, and Chroot

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured
  • Moby

    The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems

    Docker by default also applies a seccomp system call whitelist per [1] and restricts capabilities per [2], amongst numerous other default hardening practices that are applied. If a Docker container really had a need to call the "reboot" system call, this permission could be explicitly added.

    More complex sandboxing techniques include opening handles for sockets, pipes, files, etc and then hardening seccomp filters on top to prevent any new handles being opened. In this way, some containers can read/write defined files on a volume without having any ability to otherwise interact with file systems such as opening new files (all file system related system calls could be disabled).

    [1] https://github.com/moby/moby/blob/master/profiles/seccomp/de...

    [2] https://docs.docker.com/engine/security/#linux-kernel-capabi...

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo
  • distroless

    🥑 Language focused docker images, minus the operating system.

    Lots of examples without the entire OS as other comments mention, an example would be Googles distroless[0]

    [0]: https://github.com/GoogleContainerTools/distroless

  • bocker

    Docker implemented in around 100 lines of bash

  • unikraft

    A next-generation cloud native kernel designed to unlock best-in-class performance, security primitives and efficiency savings.

    unikernel is not the same microkernel.

    I've found these after some quick googling:

    https://unikraft.org/

  • nanos

    A kernel designed to run one and only one application in a virtualized environment

  • kernel

    A Rust-based, lightweight unikernel.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • Building a unikernel that runs WebAssembly – part 1

    5 projects | news.ycombinator.com | 23 Oct 2023
  • OS for Secure Containers?

    2 projects | news.ycombinator.com | 4 Sep 2024
  • Kolibri OS: fits on a floppy disk, programmed using interrupts

    6 projects | news.ycombinator.com | 30 Nov 2023
  • Mirage – A programming framework for building type-safe, modular systems

    10 projects | news.ycombinator.com | 23 Nov 2023
  • A kernel designed to run only one application in a virtualized environment

    1 project | news.ycombinator.com | 28 Jun 2022

Did you konow that C is
the 7th most popular programming language
based on number of metions?