catatonit - A container init that is so simple it's effectively brain-dead.

  •        45

A container init that is so simple it's effectively brain-dead. This is a rewrite of initrs in C, because we found that it is not possible to statically compile Rust binaries without using musl. That was, in turn, a reimplementation of other container inits like tini and dumb-init. The reason for re-implementing docker-init is because it appears as though all of the other implementations do not handle signals as correctly as they should. In particular, they all appear to make use of sigwait(2) (tini does a sigtimedwait(2) for an interval and then will do a waitpid(2) even if it didn't detect a SIGCHLD). catatonit uses signalfd(2), which has its own warts, but the improvements over sigwait(2) are significant in terms of stability. Ideally we would just write a patch for the other projects to use signalfd(2) rather than creating a new project, but after some time spent looking at tini and dumb-init we felt that such patches would be closer to full rewrites.



Related Projects

udocker - A basic user tool to execute simple docker containers in batch or interactive systems without root privileges

  •    Python

A basic user tool to execute simple docker containers in user space without requiring root privileges. Enables download and execution of docker containers by non-privileged users in Linux systems where docker is not available. It can be used to pull and execute docker containers in Linux batch systems and interactive clusters that are managed by other entities such as grid infrastructures or externally managed batch or interactive systems. The INDIGO udocker does not require any type of privileges nor the deployment of services by system administrators. It can be downloaded and executed entirely by the end user.

Docker-Secure-Deployment-Guidelines - Deployment checklist for securely deploying Docker


Within today’s growing cloud-based IT market, there is a strong demand for virtualisation technologies. Unfortunately most virtualisation solutions are not flexible enough to meet developer requirements and the overhead implied by the use of full virtualisation solutions becomes a burden on the scalability of the infrastructure. Docker reduces that overhead by allowing developers and system administrators to seamlessly deploy containers for applications and services required for business operations. However, because Docker leverages the same kernel as the host system to reduce the need for resources, containers can be exposed to significant security risks if not adequately configured. The following itemised list suggests hardening actions that can be undertaken to improve the security posture of the containers within their respective environment. It should be noted that proposed solutions only apply to deployment of Linux Docker containers on Linux-based hosts, using the most recent release of Docker at the time of this writing (1.4.0, commit 4595d4f, dating 11/12/14). Part of the content below is based on publications from Jérôme Petazzoni [1] and Daniel J Walsh [2]. This document aims at adding on to their recommendations and how they can specifically be implemented within Docker. Note: Most of suggested command line options can be stored and used in a similar manner inside a Dockerfile for automated image building. Docker 1.3 now supports cryptographic signatures [3] to ascertain the origin and integrity of official repository images. This feature is however still a work in progress as Docker will issue a warning but not prevent the image from actually running. Furthermore, it does not apply to non-official images. In general, ensure that images are only retrieved from trusted repositories and that the --insecure-registry=[] command line option is never used.

docker-slim - DockerSlim (docker-slim): Optimize and secure your Docker containers (free and open source)

  •    Go

Creating small containers requires a lot of voodoo magic and it can be pretty painful. You shouldn't have to throw away your tools and your workflow to have skinny containers. Using Docker should be easy.docker-slim is a magic diet pill for your containers :) It will use static and dynamic analysis to create a skinny container for your app.

docker-gc - Docker garbage collection of containers and images

  •    Shell

A simple Docker container and image garbage collection script.Although docker normally prevents removal of images that are in use by containers, we take extra care to not remove any image tags (e.g., ubuntu:14.04, busybox, etc) that are in use by containers. A naive docker rmi $(docker images -q) will leave images stripped of all tags, forcing docker to re-pull the repositories when starting new containers even though the images themselves are still on disk.

dagda - a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities

  •    Python

Dagda is a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities. In order to fulfill its mission, first the known vulnerabilities as CVEs (Common Vulnerabilities and Exposures), BIDs (Bugtraq IDs), RHSAs (Red Hat Security Advisories) and RHBAs (Red Hat Bug Advisories), and the known exploits from Offensive Security database are imported into a MongoDB to facilitate the search of these vulnerabilities and exploits when your analysis are in progress.

docker-cleanup - Automatic Docker image, container and volume cleanup

  •    Shell

This image will periodically clean up exited containers and remove images and volumes that aren't in use by a running container. Based on tutumcloud/image-cleanup and chadoe/docker-cleanup-volumes with some small fixes. WARNING: This script will remove all exited containers, data-only containers and unused images unless you carefully exclude them. Take care if you mount /var/lib/docker into the container since that will clean up all unused data volumes. If it's not compatible with your system or Docker version it may delete all your volumes, even from under running containers.

docker-bench-security - The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production

  •    Shell

The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are inspired by the CIS Docker Community Edition Benchmark v1.1.0. We are releasing this as a follow-up to our Understanding Docker Security and Best Practices blog post. We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark.

RancherOS - Tiny Linux distro that runs the entire OS as Docker containers

  •    Go

RancherOS is a minimalist Linux distribution perfect for running Docker containers. It runs Docker directly on top of the kernel and delivers Linux services as containers. It includes only the services needed to run Docker. RancherOS reduces the hassle with updating, patching, and maintaining your container host operating system.

local-persist - Create named local volumes that persist in the location(s) you want

  •    Go

In Docker 1.9, they added support for creating standalone named Volumes. Now with Docker 1.10 and Docker Compose 1.6's new syntax, you can create named volumes through Docker Compose.This is great for creating standalone volumes and easily connecting them to different directories in different containers as a way to share data between multiple containers. On a much larger scale, it also allows for the use of Docker Volume Plugins to do cool things like Flocker is doing (help run stateful containers across multiple hosts).

watchtower - Automatically update running Docker containers

  •    Go

A process for watching your Docker containers and automatically restarting them whenever their base image is refreshed. Watchtower is an application that will monitor your running Docker containers and watch for changes to the images that those containers were originally started from. If watchtower detects that an image has changed, it will automatically restart the container using the new image.

Weave - Simple, Resilient Multi-host Docker Networking

  •    Go

Weave is a simple, portable and reliable way to network and manage containers and microservices. It provides a simple and resilient network for your application that is portable across data centers and public clouds. Weave Net creates a virtual network that connects Docker containers across multiple hosts and enables their automatic discovery.

PiCluster - Manage Docker Containers

  •    Javascript

PiCluster is a simple way to manage Docker containers on multiple hosts. Docker Swarm not that good and Kubernetes was too difficult to install currently on ARM. PiCluster will only build and run images from Dockerfile's on the host specified in the config file. This software will work on regular x86 hardware also and is not tied to ARM.

muguet - DNS Server & Reverse proxy for Docker - Compatible with docker-compose, boot2docker and docker-machine

  •    Javascript

When using Docker, it's sometimes a pain to access your containers using specific IPs/ports. Muguet provides you with a DNS Server that resolves auto-generated hostnames to your containers IPs, plus a Reverse Proxy to access all your web apps on port 80.

rocker - R configurations for Docker

  •    Shell

This repository contains Dockerfiles for different Docker containers of interest to R users. To get started right away, ensure you have Docker installed and start a container with docker run --rm -ti rocker/r-base (see here for the docker run command options). In this case we are starting the r-base container (the base package to build from) in an interactive mode, see below for details of the other containers currently available. To get started on the rstudio container or its derivative containers (eg. hadleyverse and ropensci) you need to open a port, see the instructions in the wiki. The wiki also contains further instructions and information on the project, including how to extend these images and contribute to development.

dumb-init - A minimal init system for Linux containers

  •    Python

dumb-init is a simple process supervisor and init system designed to run as PID 1 inside minimal container environments (such as Docker). It is deployed as a small, statically-linked binary written in C.Lightweight containers have popularized the idea of running a single process or service without normal init systems like systemd or sysvinit. However, omitting an init system often leads to incorrect handling of processes and signals, and can result in problems such as containers which can't be gracefully stopped, or leaking containers which should have been destroyed.

Flocker - Container data volume manager for your Dockerized application

  •    Python

Flocker is an open-source Container Data Volume Manager for your Dockerized applications. By providing tools for data migrations, Flocker gives ops teams the tools they need to run containerized stateful services like databases in production. Unlike a Docker data volume which is tied to a single server, a Flocker data volume, called a dataset, is portable and can be used with any container, no matter where that container is running.

dockerfiles-windows - Various Dockerfiles for Windows Containers

  •    Javascript

Various Dockerfiles for Windows. Most of these can be run as Windows Containers on Windows 10, Windows Server 2016, Windows Server 1709 and Windows Server 1803. Most of these Dockerfiles are automatically built on AppVeyor and pushed to Docker Hub. See the badges in each sub folder's README files.

x11docker - Run GUI applications and desktops in docker. Focus on security.

  •    Shell

Graphical applications and desktops in docker are similar in usage to a Virtual Machine. They are isolated from host in several ways. It is possible to run applications that would not run on host due to missing dependencies. For example, you can run latest development versions or outdated versions of applications, or even multiple versions at the same time. Practical differences to a VM: Docker containers need much less resources. x11docker discardes containers after use. Persistant data and configuration storage is done with shared folders. Persistant container system changes can be done in Dockerfile. System changes in running containers are discarded after use.

autodock - Autodock. The docker container automation tool.

  •    Python

All the deliciousness of a crazy KFC combination sandwich...none of the shame. Autodock is a docker automation tool. This tool will help you spin up docker containers faster than ever! It automatically sorts servers in your Docker cluster by lowest load. It then distributes the containers you want to create among them. After bootstrapping the containers with Paramiko and Salt it saves this information to the ETCD cluster.

nginx-proxy - Automated nginx proxy for Docker containers using docker-gen

  •    Python

nginx-proxy sets up a container running nginx and docker-gen. docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped.See Automated Nginx Reverse Proxy for Docker for why you might want to use this.

We have large collection of open source products. Follow the tags from Tag Cloud >>

Open source products are scattered around the web. Please provide information about the open source projects you own / you use. Add Projects.