A lightweight pure-python container implementation.
It is a wrapper around the Linux namespace functionality through libc
functions like unshare()
, nsenter()
and mount()
. You can
think of it as a sturdier chroot replacement, where cleanup is easy (no
lingering processes or leaked mountpoints). It needs superuser
privileges to run.
You can either install it with pip:
pip3 install furnace
Or if you want, the following commands will install the bleeding-edge version of furnace to your system.
git clone https://github.com/balabit/furnace.git cd furnace python3 setup.py install
This will of course install it into a virtualenv, if you activate it beforehand.
The only dependencies are:
- Python3.6+
- Linux kernel 2.6.24+
- A libc that implements setns() and nsenter() (that’s basically any libc released after 2007)
After installing, the main interface to use is the ContainerContext
class. It is, as the name suggests, a context manager, and after
entering, its run()
and Popen()
methods can be used exactly like
subprocess
’s similarly named methods:
from furnace.context import ContainerContext
with ContainerContext('/opt/ChrootMcChrootface') as container:
container.run(['ps', 'aux'])
The above example will run ps
in the new namespace. It should show
two processes, furnace’s PID1, and the ps
process itself. After
leaving the context, furnace will kill all processes started inside, and
destroy the namespaces created, including any mountpoints that were
mounted inside (e.g. with container.run(['mount', '...'])
).
Of course, all other arguments of run()
and Popen()
are
supported:
import sys
import subprocess
from furnace.context import ContainerContext
with ContainerContext('/opt/ChrootMcChrootface') as container:
ls_result = container.run(['ls', '/bin'], env={'LISTFLAGS': '-la'}, stdout=subprocess.PIPE, check=True)
print('Files:')
print(ls_result.stdout.decode('utf-8'))
file_outside_container = open('the_magic_of_file_descriptors.gz', 'wb')
process_1 = container.Popen(['cat', '/etc/passwd'], stdout=subprocess.PIPE)
process_2 = container.Popen(['gzip'], stdin=process_1.stdout, stdout=file_outside_container)
process_2.communicate()
process_1.wait()
As you can see, the processes started can inherit file descriptors from each other, or outside the container, and can also be managed from the python code outside the container, if you wish.
As a convenience feature, the context has an interactive_shell()
method that takes you into bash shell inside the container. This is
mostly useful for debugging:
import traceback
from furnace.context import ContainerContext
with ContainerContext('/opt/ChrootMcChrootface') as container:
try:
container.run(['systemctl', '--enable', 'nginx.service'])
except Exception as e:
print("OOOPS, an exception occured:")
traceback.print_exc(file=sys.stdout)
print("Entering debug shell")
container.interactive_shell()
raise
We appreciate any feedback, so if you have problems, or even suggestions, don’t hesitate to open an issue. Of course, Pull Requests are extra-welcome, as long as tests pass, and the code is not much worse than all other existing code :)
To set up a virtualenv with all the necessary tools for development, install the GNU make tool and the python3-venv package (it is supposed to be part of the standard python3 library, but on Ubuntu systems is an invidual package). Then simply run:
make dev
This will create a virtualenv in a directory named .venv. This
virtualenv is used it for all other make targets, like check
During and after development, you usually want to run both coding style checks, and integration tests. Make sure if the 'loop' kernel module has been loaded before you run the integration tests.
make lint make check
Please make sure at least these pass before submitting a PR.
This project is licensed under the GNU LGPLv2.1 License - see the LICENSE.txt for details