Track Awesome Linux Containers Updates Daily
A curated list of awesome Linux Containers frameworks, libraries and software
🏠 Home · 🔍 Search · 🔥 Feed · 📮 Subscribe · ❤️ Sponsor · 😺 Friz-zy/awesome-linux-containers · ⭐ 1.6K · 🏷️ Platforms
Jun 11, 2023
Containers
- footloose (⭐1.6k)
Containers that look like Virtual Machines.
Jan 19, 2022
Sandboxes
- Lxroot (⭐88)
Lxroot is a flexible, lightweight, and safer alternative to chroot and/or Docker for non-root users on Linux.
Aug 27, 2021
Containers
- youki (⭐4.9k)
A container runtime written in Rust.
Jul 09, 2021
Containers
- sysbox (⭐2.1k)
Sysbox is a "runc" that creates secure (rootless) containers / pods that run not just microservices, but most workloads that run in VMs (e.g., systemd, Docker, and Kubernetes), seamlessly.
Oct 12, 2020
Security / Links
Sep 15, 2020
Dashboard
- swarmpit (⭐2.7k)
Lightweight mobile-friendly Docker Swarm management UI.
Security / Tools
- oci-seccomp-bpf-hook (⭐218)
OCI hook to trace syscalls and generate a seccomp profile.
Jul 02, 2020
Filesystem
- kaniko (⭐13k)
Kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster.
- umoci
Umoci is a tool to manipulate OCI container images, and can be used as a rudimentary build tool.
- docker pushrm (⭐118)
A Docker CLI plugin that that lets you push the README.md file from the current directory to a container registry. Supports Docker Hub, Quay and Harbor.
Dashboard
- portainer (⭐26k)
Lightweight Docker management UI.
Security / Links
Jan 24, 2019
Operating Systems
- MCL
MCL (Minimal Container Linux) is a from scratch minimal Linux OS designed specifically to run containers. It has a small footprint of ~50MB and boots within seconds. It is currently optimized to run Docker.
Jan 19, 2019
Specifications
- Cloud Native Application Bundle Specification (⭐922)
A package format specification that describes a technology for bundling, installing, and managing distributed applications, that are by design, cloud agnostic.
Dec 20, 2018
Clouds
- Nomad
HashiCorp Nomad is a single binary that schedules applications and services on Linux, Windows, and Mac. It is an open source scheduler that uses a declarative job file for scheduling virtualized, containerized, and standalone applications.
Nov 29, 2018
Hypervisors
- containerd
A container runtime which can manage a complete container lifecycle - from image transfer/storage to container execution, supervision and networking.
Containers
- podman (⭐19k)
Full management of container lifecycle.
- firecracker (⭐22k)
Firecracker runs workloads in lightweight virtual machines, called microVMs, which combine the security and isolation properties provided by hardware virtualization technology with the speed and flexibility of containers.
Nov 17, 2018
Clouds
- Alibaba Cloud Container Service
Container Service is a high-performance and scalable container application management service that enables you to use Docker and Kubernetes to manage the lifecycle of containerized applications.
Filesystem
- dive (⭐37k)
A tool for exploring each layer in a docker image.
- go-containerregistry (⭐2.5k)
Go library and CLIs for working with container registries.
Jun 12, 2018
Filesystem
- Whaler (⭐961)
Whaler is designed to reverse engineer a Docker Image into the Dockerfile that created it.
Dashboard
- Liman (⭐554)
Basic docker monitoring web application.
Security / Tools
- docker-explorer (⭐485)
A tool to help forensicate offline docker acquisitions.
Jun 07, 2018
Containers
- runv (⭐827)
Hypervisor-based (KVM, Xen, QEMU) Runtime for OCI. Security by isolation.
Filesystem
- skopeo (⭐6.4k)
Work with remote images registries - retrieving information, images, signing content.
- dgr (⭐246)
Command line utility designed to build and to configure at runtime App Containers Images (ACI) and App Container Pods (POD) based on convention over configuration.
Security / Tools
- gvisor (⭐14k)
gVisor is a user-space kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an Open Container Initiative (OCI) runtime called runsc that provides an isolation boundary between the application and the host kernel. The runsc runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers.
Mar 20, 2018
Hypervisors
- Lithos (⭐107)
Lithos is a process supervisor and containerizer for running services. It is not intended to be system init, but rather tries to be a base tool to build container orchestration.
Mar 19, 2018
Operating Systems
- HypriotOS
Minimal Debian-based operating systems that is optimized to run Docker. It made it dead easy use Docker on any Raspberry Pi.
Mar 16, 2018
Containers
- plash (⭐367)
Lightweight, rootless containers.
Mar 09, 2018
Sandboxes
- singularity (⭐2.4k)
Universal application containers for Linux.
Filesystem
- img (⭐3.8k)
Standalone, daemon-less, unprivileged Dockerfile and OCI compatible container image builder.
Jan 22, 2018
Hypervisors
- MultiDocker (⭐42)
Create a secure multi-user Docker machine, where each user is segregated into an indepentent container.
Dec 10, 2017
Security / Tools
- sockguard (⭐142)
A proxy for docker.sock that enforces access control and isolated privileges.
Security / Links
Dec 08, 2017
Containers
- Kata Containers
Kata Containers is a new open source project building extremely lightweight virtual machines that seamlessly plug into the containers ecosystem.
Dec 03, 2017
Partial Access
- Moby (⭐66k)
A "Lego set" of toolkit components for containers software created by Docker.
Filesystem
- container-diff (⭐3.5k)
A tool for analyzing and comparing container images.
- buildah (⭐6.4k)
A tool which facilitates building OCI container images.
Jul 06, 2017
Specifications
- Oracle microcontainer manifesto
This is not a new container format, but simply a specific method for constructing a container that allows for better security and stability.
Containers
- railcar (⭐1.1k)
Railcar is a rust implementation of the opencontainers initiative's runtime spec. It is similar to the reference implementation runc, but it is implemented completely in rust for memory safety without needing the overhead of a garbage collector or multiple threads.
Jul 04, 2017
Clouds
- CIAO
Cloud Integrated Advanced Orchestrator for Intel Clear Linux OS.
Apr 09, 2017
Security / Tools
- goss (⭐5.2k)
Quick and Easy server testing/validation.
Security / Links
Apr 01, 2017
Sandboxes
- Bubblewrap (⭐3.2k)
Run applications in a sandbox using Linux namespaces without root privileges, with user namespacing provided via setuid binary.
Nov 04, 2016
Security / Tools
- trireme
Security by segmentation for Docker and Kubernetes.
Oct 18, 2016
Security / Links
Oct 16, 2016
Specifications
- Nulecule Specification (⭐104)
Nulecule defines a pattern and model for packaging complex multi-container applications and services, referencing all their dependencies, including orchestration metadata in a container image for building, deploying, monitoring, and active management.
Clouds
- Rancher
Rancher is a complete, open source platform for deploying and managing containers in production. It includes commercially-supported distributions of Kubernetes, Mesos, and Docker Swarm, making it easy to run containerized applications on any infrastructure.
- Docker Swarm
Docker Swarm is native clustering for Docker.
- Azure Container Service
Azure Container Service optimizes the configuration of popular open source tools and technologies specifically for Azure.
Operating Systems
- CoreOs
A lightweight Linux operating system designed for clustered deployments providing automation, security, and scalability for your most critical applications.
- RancherOS
RancherOS is a tiny Linux distro that runs the entire OS as Docker containers.
- Project Atomic
Project Atomic provides the best platform for your Linux Docker Kubernetes (LDK) application stack. Use immutable infrastructure to deploy and scale your containerized applications.
- Snappy Ubuntu Core
Ubuntu Core is the perfect system for large-scale cloud container deployments, bringing transactional updates to the world’s favourite container platform.
- ResinOS
A host OS tailored for containers, designed for reliability, proven in production.
- Photon (⭐2.8k)
Photon OS is a minimal Linux container host designed to have a small footprint and tuned for VMware platforms. Photon is intended to invite collaboration around running containerized and Linux applications in a virtualized environment.
- Clear Linux Project
The Clear Linux Project for Intel Architecture is a distribution built for various Cloud use cases.
- CargOS
CargOS is a new lightweight, open source, platform for Docker hosts that aims for speed, manageability and security. Releases are built for 64-bit Intel/AMD CPUs.
- OSv
OSv is the open source operating system designed for the cloud. Built from the ground up for effortless deployment and management, with superior performance.
Containers
- udocker (⭐1.1k)
A basic user tool to execute simple containers in batch or interactive systems without root privileges.
- Let Me Contain That For You (⭐3.4k)
LMCTFY is the open source version of Google’s container stack, which provides Linux application containers.
- cc-oci-runtime (⭐416)
Intel Clear Linux OCI (Open Containers Initiative) compatible runtime.
Best practices
- The Twelve-Factor App
The twelve-factor app is a methodology for building software-as-a-service apps.
- Container Best Practices
A collaborative project to document container-based application architecture, creation and management from Project Atomic.
Security / Tools
- drydock (⭐63)
Drydock provides a flexible way of assessing the security of your Docker daemon configuration and containers using editable audit templates.
Aug 23, 2016
Clouds
- Virtuozzo
A platform, built on Virtuozzo containers, that can be easily run on top of any bare-metal or virtual servers in any public or private cloud, to automate, optimize, and accelerate internal IT and development processes.
Aug 11, 2016
Clouds
- Amazon EC2 Container Service
Container management service that supports Docker containers and allows you to easily run applications on a managed cluster of Amazon EC2 instances.
- Kubernetes
Manage a cluster of Linux containers as a single system to accelerate Dev and simplify Ops.
- Mesosphere
The Mesosphere Datacenter Operating System (DCOS) is a new kind of operating system that spans all of the machines in your datacenter or cloud. It provides a highly elastic, and highly scalable way of deploying applications, services and big data infrastructure on shared resources.
- OpenShift Origin
OpenShift Origin is a distribution of Kubernetes optimized for continuous application development and multi-tenant deployment. Origin adds developer and operations-centric tools on top of Kubernetes to enable rapid application development, easy deployment and scaling, and long-term lifecycle maintenance for small and large teams.
- Warden (⭐283)
Manages isolated, ephemeral, and resource controlled environments. Part of Cloud Foundry - the open platform as a service project.
Feb 26, 2016
Containers
- porto (⭐386)
The main goal of Porto is to create a convenient, reliable interface over several Linux kernel mechanism such as cgroups, namespaces, mounts, networking etc.
Feb 05, 2016
Dashboard
- LXC-Web-Panel
Web panel for LXC on Ubuntu.
Dec 14, 2015
Hypervisors
- Docker (⭐26k)
An open platform for distributed applications for developers and sysadmins. Standard de facto.
Sandboxes
- NsJail (⭐2.4k)
NsJail is a process isolation tool for Linux. It makes use of the namespacing, resource control, and seccomp-bpf syscall filter subsystems of the Linux kernel.
Security / Tools
- OpenSCAP (⭐239)
The OpenSCAP ecosystem provides multiple tools to assist administrators and auditors with assessment, measurement and enforcement of security baselines.
Security / Levels of security problems
- leak to another container (bug in namespaces, filesystem) -> user namespaces with different uid inside for each container: 1000 in container - 14293 and 15398 outside; security modules like selinux or apparmor
- root -> more of services should work on host outside; isolate sensitive functions, run as non-privileged context
- full privileges -> isolate on kernel level
- absolute privileges -> run it in separate vm
Dec 05, 2015
Clouds
- Joyent
High-Performance Container-Native Infrastructure for Today's Demanding Real-Time Web and Mobile Applications.
Nov 29, 2015
Partial Access
- CRIU
Checkpoint/Restore In Userspace is a software tool for Linux operating system. Using this tool, you can freeze a running application (or part of it) and checkpoint it to a hard drive as a collection of files. CRIU integrated with Docker and LXC to implement Live migration of containers.
Nov 22, 2015
Security / Tools
- bane (⭐1.1k)
Custom AppArmor profile generator for docker containers.
Nov 13, 2015
Security / Tools
- CoreOS Clair
Open Source Vulnerability Analysis for your Containers.
Nov 05, 2015
Another Information Sources / Technologies for security
- doger.io
This page is an attempt to document the ins and outs of containers on Linux. This is not just restricted to programmers looking to implement containers or use container like features in their own code but also Sysadmins and Users who want to get more of a handle on how containers work 'under the hood'.
Oct 28, 2015
Specifications
- Systemd Container Interface
Systemd is a suite of basic building blocks for a Linux system. It provides a system and service manager that runs as PID 1 and starts the rest of the system. If you write a container solution, please consider supporting the following interfaces.
Containers
- systemd-nspawn
Spawn a namespace container for debugging, testing and building. Part of systemd.
Another Information Sources / Technologies for security
- sysdig-container-ecosystem (⭐104)
The ecosystem of awesome new technologies emerging around containers and microservices can be a little overwhelming, to say the least. We thought we might be able to help: welcome to the Container Ecosystem Project.
Oct 19, 2015
Foundations
- Cloud Foundry Foundation
The Cloud is our foundry.
Clouds
- Jelastic
Unlimited PaaS and Container-Based IaaS in a Joint Cloud Solution for DevOps.
Oct 18, 2015
Security / Links
Aug 27, 2015
Containers
- Bocker (⭐11k)
Docker implemented in around 100 lines of bash.
Aug 24, 2015
Security / Tools
- Docker bench security (⭐8.4k)
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
Security / Links
Aug 16, 2015
Foundations
- OPEN CONTAINER INITIATIVE
The Open Container Initiative is a lightweight, open governance structure, to be formed under the auspices of the Linux Foundation, for the express purpose of creating open industry standards around container formats and runtime.
- Cloud Native Computing Foundation
The Cloud Native Computing Foundation will create and drive the adoption of a new set of common container technologies informed by technical merit and end user value, and inspired by Internet-scale computing.
Specifications
- Open Container Specifications (⭐2.9k)
This project is where the Open Container Initiative Specifications are written. This is a work in progress.
- App Container basics (⭐8.8k)
App Container (appc) is an open specification that defines several aspects of how to run applications in containers: an image format, runtime environment, and discovery protocol.
Clouds
- Google Cloud Platform
Run Docker containers on Google Cloud Platform, powered by Kubernetes. Google Container Engine actively schedules your containers, based on declared needs, on a managed cluster of virtual machines.
Hypervisors
- LXD (⭐4k)
Daemon based on liblxc offering a REST API to manage LXC containers.
- OpenVZ
OpenVZ is container-based virtualization for Linux. OpenVZ creates multiple secure, isolated Linux containers (otherwise known as VEs or VPSs) on a single physical server enabling better server utilization and ensuring that applications do not conflict.
Containers
- runc (⭐11k)
runc is a CLI tool for spawning and running containers according to the OCS specification.
- Rocket (⭐8.8k)
rkt (pronounced "rock-it") is a CLI for running app containers on Linux. rkt is designed to be composable, secure, and fast. Based on AppC specification.
- LXC (⭐4.1k)
LXC is the well known set of tools, templates, library and language bindings. It's pretty low level, very flexible and covers just about every containment feature supported by the upstream kernel.
- Vagga (⭐1.8k)
Vagga is a fully-userspace container engine inspired by Vagrant and Docker, specialized for development environments.
- libct (⭐101)
Libct is a containers management library which provides convenient API for frontend programs to rule a container during its whole lifetime.
- libvirt
A big toolkit to interact with the virtualization capabilities of recent versions of Linux (and other OSes).
Sandboxes
- Firejail
Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities.
- Subuser (⭐881)
Securing the Linux desktop with Docker.
- Snappy
Snappy Ubuntu Core is a new rendition of Ubuntu with transactional updates - a minimal server image with the same libraries as today’s Ubuntu, but applications are provided through a simpler mechanism.
- xdg-app
xdg-app is a system for building, distributing and running sandboxed desktop applications on Linux.
Partial Access
- nsenter
Run program with namespaces of other processes. Part of the util-linux.
- ip-netns
Process network namespace management. Part of the iproute2.
- unshare
Run program with some namespaces unshared from parent. Part of the util-linux.
- python-nsenter (⭐136)
This Python package allows entering Linux kernel namespaces (mount, IPC, net, PID, user and UTS) by doing the "setns" syscall.
- butter
Python library to interface to low level linux features (inotify, fanotify, timerfd, signalfd, eventfd, containers) with asyncio support.
- pyspaces (⭐87)
Works with Linux namespaces through glibc with pure python.
Security / Links
Security / Levels of security problems
- regular application
- always untrusted -> know it
- suid bit -> mount with nosuid
- limit available syscall -> seccomp-bpf, grsec
- system services like cron, ssh
- run as root -> isolate via bastion host or vm
- using /dev -> "devices" control group
The following device nodes are created in the container by default.
The Docker images are also mounted with nodev, which means that even if a device node was pre-created in the image, it could not be used by processes within the container to talk to the kernel.
/dev/console,/dev/null,/dev/zero,/dev/full,/dev/tty*,/dev/urandom,/dev/random,/dev/fuse
- root calls -> capabilities (cap_sys_admin warning!)
Here is the current list of capabilities that Docker uses: chown, dac_override, fowner, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, mknod, setfcap, and audit_write.
Docker removes several of these capabilities including the following:
CAP_SETPCAP Modify process capabilities
CAP_SYS_MODULE Insert/Remove kernel modules
CAP_SYS_RAWIO Modify Kernel Memory
CAP_SYS_PACCT Configure process accounting
CAP_SYS_NICE Modify Priority of processes
CAP_SYS_RESOURCE Override Resource Limits
CAP_SYS_TIME Modify the system clock
CAP_SYS_TTY_CONFIG Configure tty devices
CAP_AUDIT_WRITE Write the audit log
CAP_AUDIT_CONTROL Configure Audit Subsystem
CAP_MAC_OVERRIDE Ignore Kernel MAC Policy
CAP_MAC_ADMIN Configure MAC Configuration
CAP_SYSLOG Modify Kernel printk behavior
CAP_NET_ADMIN Configure the network
CAP_SYS_ADMIN Catch all
uses /proc, /sys -> remount ro, drop cap_sys_admin; security modules like selinux or apparmor; some part of this fs are "namespace-aware"
Docker mounts these file systems into the container as "read-only" mount points.
. /sys
. /proc/sys
. /proc/sysrq-trigger
. /proc/irq
. /proc/bus
Copy-on-write file systems
Docker uses copy-on-write file systems. This means containers can use the same file system image as the base for the container. When a container writes content to the image, it gets written to a container specific file system. This prevents one container from seeing the changes of another container even if they wrote to the same file system image. Just as important, one container can not change the image content to effect the processes in another container.
- uid 0 -> user namespaces, uid 0 mappet to random uid outside
- system services like devices, network, filesystems
- kernel drivers, network stack, security policies
- general like immutable infrastructure
- container is ro
- write to small separate rw nosuid part
Security / Technologies for security
- SELinux
- Cgroups
- file systems under /sys
- /proc/sys, /proc/sysrq-trigger, /proc/irq, /proc/bus
- /dev/mem
- /dev/sd* file system devices
- kernel modules