Awesome, I think Docker is a pile, and I would like to see more approaches like this.
I haven’t been a fan of Rust, but it’s better than Go for stuff like this.
Go is also a bad language for implementing containerization tools because you can’t reliably do anything between fork() and exec() in the presence of Go’s threaded runtime. That’s why they exposed os.ForkExec() rather than separate calls (fork() and exec() are reserved for the less safe/less portable syscall module.)
A few years ago I hacked up this tiny tool, toward writing a containerized package manager:
But eventually ended up writing my own 200-300 line tool in C. It’s pretty easy, you just parse flags and make chroot and Linux namespace calls, and then setuid root.
Then you control that tiny tool with shell scripts. This is a more “least privilege” correct separation than Docker, which has a big chunk of code running as root.
I think systemd actually gets it right with systemd-nspawn, although I haven’t looked at it in detail. It’s probably better than Docker though.
What are the differences to rkt?