Skip to content

ForAllSecure/rootfs_builder

Repository files navigation

Go

Rootfs Builder

Rootfs builder pulls an image from a Docker registry and extracts the rootfs. This is equivalent to the command:

mkdir rootfs && docker export $(docker create busybox) | tar -C rootfs -xvf -

The rootfs generated is OCI compliant and can be run with RunC. The user can specify the user to chown the files to and whether or not to use a subuid mapping in case they want to unshare user namespaces.

Installation

Install Go 1.12

On debian:sid apt-get install -y golang-1.12-go.

From source:

sudo apt-get update
wget https://dl.google.com/go/go1.12.7.linux-amd64.tar.gz
sudo tar -xvf go1.12.7.linux-amd64.tar.gz
sudo mv go /usr/local
sudo mv /usr/local/go/bin/go /bin

Rootfs builder can be statically built. This statically compiles rootfs builder in a container:

make static

Or if you want to develop Rootfs Builder in a container, run: make dev

Usage

Rootfs builder can be run with: ./rootfs_builder <config.json>

An example config.json looks like:

{
    "Name": "debian:buster",
    "Cert": "/workdir/cert",
    "Retries": 3,
    "Spec":
        {
            "Dest": "/tmp/rootfs",
            "User": "fas",
            "UseSubuid": True
        }
}
  • Name (string, REQUIRED) Name of image to pull.
  • Cert (string, OPTIONAL) Path to cert to add to root CAs for the registry.
  • Retries (int, OPTIONAL) Number of attempts to connect to registry.
  • Spec (dict, OPTIONAL) Spec for the rootfs.
  • Dest (string, OPTIONAL) Destination to extract rootfs to.
  • User (string, OPTIONAL) User to chown files to.
  • UseSubuid (bool, OPTIONAL) Look up subuid mapping for giving user and chown to that uid.

Tests

To run integration tests, run make test.

Credits

This code is from ForAllSecure labs. It is not an official ForAllSecure maintained product or offering.

Some code recycled from Google's Kaniko.