Build and run layered root filesystems.
Build and run layered root filesystems.
USAGE:
Import Image:
plash pull:docker IMAGE[:TAG] - Pull image from docker cli
plash pull:lxc DISTRO:VERSION - Download image from images.linuxcontainers.org
plash pull:tarfile ARG - Import the image from an file
plash pull:url ARG - Download image from an url
Export Image:
plash push:dir ID ARG - Export image to a directory
plash push:tarfile ID ARG - Export image to a file
Image Commands:
plash build ID CODE - Build a new image
plash mount ID MOUNTDIR - Mount image to the host filesystem
plash mounted ID [CMD ...] - Run command on a mounted image
plash nodepath [--allow-0] ID - Print filesystem path of an image
plash parent ID - Print the parents image
plash rm ID - Remove image and its children
plash run ID ... - Run command in image
plash do PLASH_CMD ... - Shortcut for `plash recall cache ...`
plash cache PLASH_CMD ... - Cache image id output by argv
plash run:persist ID DIR ... - Run and persist fs changes at DIR
plash stack ID DIR - Create a new image specyfing its layer
plash check ID PATH - Invalidate ongoing caches if PATH changed.
Other Commands:
plash recall PLASHCMD *ARGS - Save returned ID and/or reuse last saved ID
plash chroot DIR [CMD ...] - Flavored chroot
plash clean - Remove internal unsused files
plash data - Print application data path
plash help - Print help message
plash init - Initialize data dir
plash map KEY [ID] - Map lorem ipsum
plash mkdtemp - Create tempory data directory
plash purge - Remove all application data
plash shrink - Remove half of all images
plash sudo ... - Run program as 'userspace root'
plash version - Print version
cd $(mktemp -d)
git clone [email protected]:ihucos/plash.git .
make
sudo cp dist/plash /usr/local/bin
sudo rm /usr/local/bin/plash
make
andcc
- Linux Kernel >= 5.11
- Optional
newuidmap
andnewgidmap
for setuid/setgid support with non-root users (needed by e.G.apt
)
-
Plash processes have the same operating system access rights than the process that started it. There is no security relevant isolation feature. Exactly as with running programs "normally", don't run programs you do not trust with plash and try to avoid using plash with the root user.
-
Plash only runs inside Docker containers started with the
--privileged
flag, see GitHub issue #51 for details.
Plash containers are not necessarily true containers because they do not fully isolate themselves from the host system and do not have additional security measures set in place. Instead, they are more like a combination of processes and containers, and can be treated like normal processes (e.g., they can be killed). Plash containers also have access to the home directory of the user who started them. To better understand this concept, refer to the provided diagram.
Threads < Processes < Plash < Containers < Virtualisation < Physical computer
In general, the more to the left something is on the spectrum, the less flexible it is, but the more integrated it is with the system, allowing it to share existing resources. Plash containers are more constrained than traditional containers, but in exchange, they have access to resources that would typically only be available to processes.
- Network access, including access to the hosts localhost
- The user's home directory (/home is mapped)
- The /tmp directory (during runtime, not during building)
- The Linux kernel (as with traditional containers)
- The mount namespace
- The root folder, allowing running a different linux distribution
Plash containers are just a normal Linux process that happen to run on a different root filesystem. This means that they have their own set of benefits and drawbacks and may be more or less suitable for a particular use case.
- Elegance in minimalism
- User interface needs break Development Guidelines
- Keep the script character.
- Don't fall in love with the code, embrace its absence.
- All dependencies will get unmaintained at some point.
- Use honest thin wrappers, documented leaky abstractions are better then difficult promises.
- Don't be a monolith but don't try too hard not to be one.
- Don't complain or warn via stderr, do it or don't do it.
- Only be as smart as necessary and keep it simple and stupid (KISS).
- Still be able to run this in five years without any maintenance work.
- No baggage, no worries.
- Define well what this project is and especially what it is not.
- Say no to features, say yes to solved use cases.
- Postpone compromises.
- Ditch everything that turns out too fiddly.
- Be as vanilla as you can be
- Be humble, don't oversell your abstraction layer.
- Sometimes the dirty solution is cleaner than the proper one.
- Don't differentiate root from non-root users (this is a TODO)
- Crude is better than complex.
- Only eat your own dog food if you are hungry.
- Work towards a timeless, finished product that will require no maintenance.
- Don't write C just because it looks cool, use the right tool for the right job.
- Cognitive load for endusers does matter after all
- The right guidelines for the right situation.
Please! Write me an mail [email protected], open an issue, do a pull request or ask me out for a friendly chat about plash in Berlin.
A Django/Python software-developer. Since this is an open source project I hope this software grows organically and collaboratively.
Technical idealism. I wanted a better technical solution for a problem. In my personal opinion Docker is revolutionary but has some shortcomings: awkward interface, reinvention of established software or interfaces, bundling, vendor lock in and overengineering. In a way it kills it's idea by trying too hard to build a huge company on top of it. Plash thrives not to be more than a useful tool with one task: Building and running containerized processes. Ultimately I wanted something I can if necessary maintain by myself.
No, there isn't. At the same time I don't want to risk disappointing anyone and am not making any absolute guarantees.
plash is licensed under the MIT Licence.
Docker is a bloated SUV you have to bring to the car workshop every week, for random alterations, features and new advertising stickers. Plash is a nice fixed gear bike, but the welds are still hot and nobody checked the bolts yet.
No guarantees.
Plash does not use any daemons or have its own setuid helper binaries. Note that plash does not try to isolate containers (which are just normal processes). That means that running a program inside plash is not a security feature. Running any container software introduces more entities to trust, that is the root file system image with its additional linux distribution and its own package manager. Using a program from alpine edge could be considered less secure than a package from debian stable or vice versa. Also note that keeping containers updated is more difficult than keeping "normal" system software updated. Furthermore note that programs could be not used to run inside semi-isolated containers and behave oddly. Plash uses unmodified lxc images. Using plash as root should be avoided and should not be necessary for most use cases. Until now plash was written by one person and of course I could be wrong about something. But generally speaking it really should be good enough.