crysco

Crysco is a toy Linux container implementation based on barco, rewritten in the Crystal language. It utilizes cgroups, namespaces, overlayfs, seccomp and capabilities to provide isolated environments. As a non-C program, it also required writing minimal bindings for libseccomp, libcap, and kernel system calls (not the libc wrappers).

It's basically fancy chroot and is not intended for real-world use.

Setup/installation

Requires the libcap and libseccomp libraries and the Crystal compiler.

On Debian derivatives:

sudo apt install -y libcap-dev libseccomp-dev
crystal build --release src/crysco.cr

Usage

In this example, we create an environment with BusyBox utilities (note that the BusyBox shell does not display prompts properly as a result of blocking the TIOCSTI ioctl with seccomp, but should still be able to execute commands interactively):

mkdir -p ~/crysco-busybox-container/usr/bin
cd ~/crysco-busybox-container/usr/bin
wget https://busybox.net/downloads/binaries/1.35.0-x86_64-linux-musl/busybox
chmod +x busybox

# link typical userspace utilities to the busybox binary
while read -r cmd; do
  ln -s /usr/bin/busybox $cmd
done < <(./busybox --list)

# cd back to your crysco repository, then:
sudo ./crysco run --mount ~/crysco-busybox-container ls -- -alh /usr/bin

Potential improvements

• Code quality
  • Update libcap and libseccomp wrappers to have similar API styles
  • Make the codebase look less like a C program in general
  • Clean up special cases for new container vs existing container?
• Investigate interaction of pty, TIOCSTI blocking, and BusyBox shells
• Add options for managing environment variables
• Handle missing container root gracefully
• Linux networking
• Handle ctrl-c nicely (currently exits without cleanup)