pflask is a simple tool for creating process containers on LInux. It can be used for running single commands or even booting a whole operating system inside an isolated environment, where the filesystem hierarchy, networking, process tree, IPC subsystems and host/domain name can be insulated from the host system and other containers.
pflask doesn't need any configuration and can be run without any arguments as follows:
By default a new container will be created and a bash shell will be started, but a custom command can also be specified:
The container can also be run inside a private root directory by using the --chroot option:
This can be used, for example, as a replacement for the chroot(8) command. It's even possible to invoke the init binary and boot the whole operating system inside the container:
Note that pflask doesn't provide any support for creating the rootfs, but can piggyback on existing tools. For example the debootstrap(8) command can be used for creating a Debian rootfs as follows:
For more information on pflask usage, have a look at the man page.
Using the --netif option the networking of the container will be disconnected from the host system and all network interfaces will be made unavailable to the container:
The --netif option can also be used to create private network interfaces:
$ sudo pflask --netif=macvlan:eth0:net0 -- ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
5: net0@if2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default
link/ether 92:e4:c2:9b:a4:75 brd ff:ff:ff:ff:ff:ff link-netnsid 0Interfaces created inside the container will be automatically destroyed once the container terminates.
The command above will create a new macvlan interface called net0, from the eth0 host interface. macvlan interfaces can be used to give an additional MAC address to a network adapter and make it look like a completely different device.
pflask can also create other types of network interfaces, have a look at the manpage for more information.
By default a new mount namespace is created for the container, so that filesystems mounted inside it won't affect the host system. The --mount option can then be used to create new mount points before the execution of the supplied command.
The command above will bind mount the host's /tmp directory into the container's /tmp, so that files can be exchanged between them.
pflask can also create other types of mount points, have a look at the manpage for more information.
Additionally, using the --ephemeral option it's possible to tell pflask to discard any change applied to the root filesystem once the container terminates:
This can be used for example for a build environment, where dependencies can be installed at every run on a clean rootfs, without the need to recreate the rootfs every time.
All the commands above have been executed with root privileges, but pflask can be invoked, with some limitations, by unprivileged users as well, as long as user namespaces are supported by the host system.
For example, on recent Debian versions user namespaces are enabled, but are restricted to the root user only. To enable them for unprivileged users run:
This functionality can be used to run every-day user applications such as a web browser inside a container:
The command above uses the --mount option to create a tmpfs mount point on the $HOME directory, so that the application (chromium in the example) won't be able to access the user's private files, and any modification to the home directory will be discarded once the container terminates.
The --chroot option can be used with unprivileged containers as well, but requires some additional configuration.
The first step is assigning a set of additional UIDs and GIDs to the current user ($USER). These will be used by pflask inside the container:
Note that the commands above require root privileges, but have to be run only once.
Then any time an unprivileged chroot(8) is needed, the following command can be run:
Note that the newuidmap(1) and newgidmap(1) commands need to be installed for any of this to work: on Debian/Ubuntu systems they are provided by the uidmap package.
Containers can be detached from the current terminal as soon as they are created by using the --detach option:
and then later reattached (even to a different terminal) with the --attach option:
Where 29076 is the PID of the detached pflask process. Once reattached, it can be detached again by pressing ^@ (Ctrl + @).
Containers created with pflask are automatically registered with the machined daemon, if installed and running. The machinectl(1) command can then be used to list and manipulate running containers.
Let's create one container as follows:
Running containers can be listed using the list command:
and information regarding a single container can be retrieved with the show command:
Additionally, the status command will show more information regarding the status of the container:
$ machinectl --no-pager status pflask-19170
pflask-19170
Since: gio 2015-06-25 20:28:34 CEST; 1min 21s ago
Leader: 19170 (systemd)
Service: pflask; class container
Root: /home/ghedo/local/debian
OS: Debian GNU/Linux stretch/sid
Unit: machine-pflask\x2d19170.scope
├─19170 /lib/systemd/systemd
└─system.slice
├─systemd-journald.service
│ └─19184 /lib/systemd/systemd-journald
└─console-getty.service
└─19216 /sbin/agetty --noclear --keep-baud console 115200 3...
giu 25 20:28:34 kronk systemd[1]: Started Container pflask-19170.
giu 25 20:28:34 kronk systemd[1]: Starting Container pflask-19170.One can even log into the container using the login command (note that the dbus daemon needs to be running inside the container for this to work):
And finally the container can be terminated using either the poweroff or terminate commands:
pflask is distributed as source code. Build with:
Copyright (C) 2013 Alessandro Ghedini <[email protected]>
See COPYING for the license.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent