Build Your Own Docker with Linux Namespaces, Cgroups, and Chroot

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
Osdev Virtualization Unikernels Docker Unikernel

InfluxDB - Power Real-Time Data Analytics at Scale
Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured

  • Moby

    The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems

    • Docker by default also applies a seccomp system call whitelist per [1] and restricts capabilities per [2], amongst numerous other default hardening practices that are applied. If a Docker container really had a need to call the "reboot" system call, this permission could be explicitly added.

    More complex sandboxing techniques include opening handles for sockets, pipes, files, etc and then hardening seccomp filters on top to prevent any new handles being opened. In this way, some containers can read/write defined files on a volume without having any ability to otherwise interact with file systems such as opening new files (all file system related system calls could be disabled).

    [1] https://github.com/moby/moby/blob/master/profiles/seccomp/de...

    [2] https://docs.docker.com/engine/security/#linux-kernel-capabi...

  • distroless

    🥑 Language focused docker images, minus the operating system.

    • Lots of examples without the entire OS as other comments mention, an example would be Googles distroless[0]

    [0]: https://github.com/GoogleContainerTools/distroless

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • bocker

    Docker implemented in around 100 lines of bash

  • unikraft

    A next-generation cloud native kernel designed to unlock best-in-class performance, security primitives and efficiency savings.

    • unikernel is not the same microkernel.

    I've found these after some quick googling:

    https://unikraft.org/

  • nanos

    A kernel designed to run one and only one application in a virtualized environment

  • kernel

    A Rust-based, lightweight unikernel.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • Building a unikernel that runs WebAssembly – part 1

    5 projects | news.ycombinator.com | 23 Oct 2023

  • Kolibri OS: fits on a floppy disk, programmed using interrupts

    6 projects | news.ycombinator.com | 30 Nov 2023

  • Mirage – A programming framework for building type-safe, modular systems

    10 projects | news.ycombinator.com | 23 Nov 2023

  • A kernel designed to run only one application in a virtualized environment

    1 project | news.ycombinator.com | 28 Jun 2022

  • Applications available in unikernels?

    2 projects | /r/UniKernel | 10 Jun 2022