13 releases (5 stable)

1.2.0 May 25, 2024
1.1.2 Apr 5, 2024
1.1.1 Mar 19, 2024
1.1.0 Dec 30, 2023
0.1.1 Apr 5, 2023

#289 in Command line utilities

32 downloads per month

MIT license

96KB
2.5K SLoC

Keg

Crates.io Build Status

Keg is a portable container without boilerplate.

  • Keg is rootless and runs as a regular user.
  • Keg doesn't create any hidden directories in ~ and doesn't read/write any file unprompted except the current directory.

You can:

  • Use your current / as the base image and exclude sensitive paths like /home. Or import your own rootfs for complete isolation.
  • Make / appear writable in your container with changes either kept in memory, or written to another directory, using overlayfs.
  • Add firewall rules to the container with nftables.

Under the hood, Keg runs a Podman container in a separate Linux namespace. Keg isolation is secure as long as Podman is secure.

Examples

Warning

If you get an error such as Cannot run [...]: Operation not permitted (os error 1), your kernel may have this bug. You need to append --share-time to all Keg container commands.

  1. Map /bin, /etc, /lib, /lib64, /opt, /sbin, /usr, /var into the container and map current directory to /root/workspace. All paths will appear writable, but only changes to /root/workspace are permanent:

    keg --share-net
    
  2. Map /bin, /etc, /lib, /lib64, /opt, /sbin, /usr, /var into the container. All paths will appear writable, but changes are written to paths inside ./container:

    keg-rootfs --share-net
    
  3. Map ./root into the container as /. Changes are written to paths inside ./my_container:

    keg-rootfs --share-net -r ./root -u ./my_container
    

In addition to all the above, use --net-nft-rules ./nftables_rules.txt to import firewall rules from ./nftables_rules.txt. Remove --share-net to disable network access in the container.

You will appear as root (uid 0) in the container. As per usual, this does not give you global root. Some applications require a non-root user to function correctly. If that's the case, run

keg-user

within the container to create a new user namespace as a non-root user. You can optionally specify --uid <uid> and --gid <gid>.

Installation

Keg works as long as all dependencies listed below are installed:

bubblewrap >= 0.4.0, fuse-overlayfs >= 1.5, libseccomp >= 2.4, linux >= 5.4.0, nftables >= 0.9.3, podman >= 3.4.2, slirp4netns >= 1.1.8

Installation Examples

Ubuntu >= 22.04

Run the following commands and reboot:

sudo apt-get update -y
sudo apt-get -qq -y install bubblewrap fuse-overlayfs libseccomp-dev nftables podman slirp4netns

# If not installed already:
sudo apt-get -qq -y install cargo
export PATH="$HOME/.cargo/bin:$PATH"
echo 'PATH="$HOME/.cargo/bin:$PATH"' >> ~/.profile

cargo install keg

Ubuntu 20.04

First, follow these instructions to install podman. Then execute the following and reboot:

sudo apt-get -qq -y install bubblewrap fuse-overlayfs libseccomp-dev nftables slirp4netns

# If not installed already:
sudo apt-get -qq -y install cargo
export PATH="$HOME/.cargo/bin:$PATH"
echo 'PATH="$HOME/.cargo/bin:$PATH"' >> ~/.profile

cargo install keg

Dependencies

~1–1.6MB
~38K SLoC