boxctl - An opinionated way to manage systemd-nspawn containers without relying on BTRFS

  •        78

Wrapper for machinectl and systemctl to manage systemd-nspawn OS containers with a prescriptive way to cutover to new images and fallback to old ones (without depending on BTRFS or ZFS). OverlayFS is used to maintain control over changes from the original image. The goal of this wrapper is to remain as light-weight as possible, preferencing the preservation of the systemd-nspawn-flavored approaches to running containers over any features added in this wrapper script. This is not intended to replace machinectl, but to instead to supplement it with a prescriptive workflow for upgrading to new system containers while providing a valid fallback posture if needed. Note: this is a work in progress, so it is not stable yet.

https://github.com/wagoodman/boxctl

Tags
Implementation
License
Platform

   




Related Projects

kube-spawn - A tool for creating multi-node Kubernetes clusters on a Linux machine using kubeadm & systemd-nspawn

  •    Go

kube-spawn is a tool for creating a multi-node Kubernetes (>= 1.8) cluster on a single Linux machine, created mostly for developers of Kubernetes but is also a Certified Kubernetes Distribution and, therefore, perfect for running and testing deployments locally. It attempts to mimic production setups by making use of OS containers to set up nodes.

bubblewrap - Unprivileged sandboxing tool

  •    C

Many container runtime tools like systemd-nspawn, docker, etc. focus on providing infrastructure for system administrators and orchestration tools (e.g. Kubernetes) to run containers. These tools are not suitable to give to unprivileged users, because it is trivial to turn such access into to a fully privileged root shell on the host.

bubblewrap - Unprivileged sandboxing tool

  •    C

Many container runtime tools like systemd-nspawn, docker, etc. focus on providing infrastructure for system administrators and orchestration tools (e.g. Kubernetes) to run containers. These tools are not suitable to give to unprivileged users, because it is trivial to turn such access into to a fully privileged root shell on the host.

amicontained - Container introspection tool

  •    Go

Container introspection tool. Find out what container runtime is being used as well as features available.

amicontained - Container introspection tool

  •    Makefile

Container introspection tool. Find out what container runtime is being used as well as features available. For installation instructions from binaries please visit the Releases Page.


systemd-docker - Wrapper for "docker run" to handle systemd quirks

  •    Go

This is a wrapper for docker run so that you can sanely run Docker containers under systemd. The key thing that this wrapper does is move the container process from the cgroups setup by Docker to the service unit's cgroup. This handles a bunch of other quirks so please read through documentation to get an understanding of all the implications of running Docker under systemd. Using this wrapper you can manage containers through systemctl or the docker CLI and everything should just stay in sync. Additionally you can leverage all the cgroup functionality of systemd and systemd-notify.

geard - geard is no longer maintained - see OpenShift 3 and Kubernetes

  •    Go

The geard agent exposes operations on containers needed for large scale orchestration in production environments, and tries to map those operations closely to the underlying concepts in Docker and systemd. It supports linking containers into logical groups (applications) across multiple hosts with iptables based local networking, shared environment files, and SSH access to containers. It is also a test bed for prototyping related container services that may eventually exist as Docker plugins, such as routing, event notification, and efficient idling and network activation.The gear daemon and local commands must run as root to interface with the Docker daemon over its Unix socket and systemd over DBus.

dumb-init - A minimal init system for Linux containers

  •    Python

dumb-init is a simple process supervisor and init system designed to run as PID 1 inside minimal container environments (such as Docker). It is deployed as a small, statically-linked binary written in C.Lightweight containers have popularized the idea of running a single process or service without normal init systems like systemd or sysvinit. However, omitting an init system often leads to incorrect handling of processes and signals, and can result in problems such as containers which can't be gracefully stopped, or leaking containers which should have been destroyed.

sysbox - An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs

  •    Shell

Improves container isolation: Sysbox always enables the Linux user-namespace on containers (i.e., root user in the container has zero privileges on the host), hides host info inside the container, locks the container's initial mounts, and more. Sysbox is an OCI-based "runc", meaning that you typically use Docker and Kubernetes to deploy these enhanced containers (in fact Sysbox works under the covers, you don't interact with it directly). Thus there is no need to learn new tools or modify your existing container workflows to take advantage of Sysbox. Just install it and point your container manager / orchestrator to it.

ctop - A command line / text based Linux Containers monitoring tool that works just like you expect.

  •    Python

A command line / text based Linux Containers monitoring tool that works just like you expect.ctop will help you see what's going on at the container level. Basically, containers are a logical group of processes isolated using kernel's cgroups and namespaces. Recently, they have been made popular by Docker and they are also heavily used under the hood by systemd and a load of container tools like lxc, rocket, lmctfy and many others.

x11docker - Run GUI applications and desktops in docker. Focus on security.

  •    Shell

Graphical applications and desktops in docker are similar in usage to a Virtual Machine. They are isolated from host in several ways. It is possible to run applications that would not run on host due to missing dependencies. For example, you can run latest development versions or outdated versions of applications, or even multiple versions at the same time. Practical differences to a VM: Docker containers need much less resources. x11docker discardes containers after use. Persistant data and configuration storage is done with shared folders. Persistant container system changes can be done in Dockerfile. System changes in running containers are discarded after use.

zabbix-docker-monitoring - :whale: Docker/Kubernetes/Mesos/Marathon/Chronos/LXC/LXD/Swarm container monitoring - Docker image, Zabbix template and C module

  •    C

If you like or use this project, please provide feedback to author - Star it ★ and write what's missing for you.Monitoring of Docker container by using Zabbix. Available CPU, mem, blkio, net container metrics and some containers config details, e.g. IP, name, ... Zabbix Docker module has native support for Docker containers (Systemd included) and should also support a few other container types (e.g. LXC) out of the box. Please feel free to test and provide feedback/open issue. The module is focused on performance, see section Module vs. UserParameter script.

systemd-manager - A systemd service manager written in Rust with the GTK-rs wrapper and direct integration with dbus

  •    Rust

This application is a systemd service manager written in the Rust programming language with GTK3 as the graphical user interface of choice. The units are filtered into three separate lists: services, sockets, and timers. As a unit is selected in the left pane, the right pane is updated with information pertaining to that unit, and the right headerbar is updated to reflect the status of the unit where you may disable/enable and start/stop the selected unit. Services are units that are activated immediately, sockets are units that are activated when they are needed, and timers are units that activate on a regular time interval. In addition to display units, the application also provides stats generated by systemd-analyze on the Systemd Analyze view.This is available in the AUR as a git package: systemd-manager-git.

rustysd - A service manager that is able to run "traditional" systemd services, written in rust

  •    Rust

Rustysd is a service manager that tries to replicate systemd behaviour for a subset of the configuration possibilities. It focuses on the core functionality of a service manager, not requiring to be PID1 (aka init process). TLDR: No, rustysd is no dedicated replacement. It is an opportunity for the niches where systemd could not get it's foot down to profit (more easily) from the ecosystem around systemd.

go-systemd - Go bindings to systemd socket activation, journal, D-Bus, and unit files

  •    Go

Using the pure-Go journal package you can submit journal entries directly to systemd's journal, taking advantage of features like indexed key/value pairs for each log entry. The sdjournal package provides read access to the journal by wrapping around journald's native C API; consequently it requires cgo and the journal headers to be available.The machine1 package allows interaction with the systemd machined D-Bus API.

fleet - fleet ties together systemd and etcd into a distributed init system

  •    Go

fleet is no longer developed or maintained by CoreOS. After February 1, 2018, a fleet container image will continue to be available from the CoreOS Quay registry, but will not be shipped as part of Container Linux. CoreOS instead recommends Kubernetes for all clustering needs.fleet ties together systemd and etcd into a simple distributed init system. Think of it as an extension of systemd that operates at the cluster level instead of the machine level.

journalbeat - Journalbeat is a log shipper from systemd/journald to Logstash/Elasticsearch

  •    Go

Journalbeat is the Beat used for log shipping from systemd/journald based Linux systems. It follows the system journal very much like journalctl -f and sends the data to Logstash/Elasticsearch (or whatever you configured for your beat). Journalbeat is targeting pure systemd distributions like CoreOS, Atomic Host, or others. There are no intentions to add support for older systems that do not use journald.

eudev - Repository for eudev development

  •    C

This git repo is a fork of git://anongit.freedesktop.org/systemd/systemd with the aim of isolating udev from any particular flavor of system initialization. In this case, the isolation is from systemd. This is a project started by Gentoo developers and testing is currently being done mostly on OpenRC. We welcome contribution from others using a variety of system initializations to ensure eudev remains system initialization and distribution neutral.

openvpn-update-resolv-conf - Script that updates DNS settings are pushed by the OpenVPN server

  •    Shell

This is a script to update your /etc/resolv.conf with DNS settings that come from the received push dhcp-options. Since network management is out of OpenVPN client scope, this script adds and removes the provided from those settings. However if you have systemd 229 or newer the better option is to use script from https://github.com/jonathanio/update-systemd-resolved which uses DBus calls instead of creating temporary *.network files.

hardening - Hardening Ubuntu. Systemd edition.

  •    Shell

A quick way to make a Ubuntu server a bit more secure. Tested on 17.10 Artful Aardvark, 18.04 Bionic Beaver and 18.10 Cosmic Cuttlefish (under development).






We have large collection of open source products. Follow the tags from Tag Cloud >>


Open source products are scattered around the web. Please provide information about the open source projects you own / you use. Add Projects.