concil is a simple, rootless, and daemonless container manager designed to run OCI-compliant Linux containers.
It provides a lightweight and secure way to run standalone applications in isolated user-space environments.
With a focus on simplicity and security, concil offers features like image encryption and signature verification, making it an excellent alternative to more complex containerization tools.
- OCI-Compliant: Run containers from OCI-compliant registries like Docker Hub.
- Rootless and Daemonless: Run containers without requiring root privileges or a background daemon.
- Image Encryption: Encrypt container layers for enhanced security.
- Signature Verification: Verify the integrity and authenticity of container images using cosign.
- Image Management: Build, copy, and manage container images with a simple command-line interface.
- Low Complexity: A straightforward and easy-to-understand tool for container management.
| Docker | Concil | |
|---|---|---|
| OCI-Repository | ✓ | ✓ |
| Signature | ✓ | ✓ |
| Encryption | ✗ | ✓ |
| Rootless / Daemonless | ✗ | ✓ |
| Network isolation | ✓ | ✗ |
| Complexity | high | low |
You need Python 3.6+ to run concil.
It uses image layers in squashfs-format. Build the squashfuse-library from https://github.com/ruema/squashfuse.
To create squashfs-layers tar2sq from squashfs-tools-ng is used.
As a third component fuse-overlayfs is used to for interactive layer creation.
$ concil_run.py docker://docker.io/library/alpine:latestFirst download a base image to a local directory:
$ concil copy docker://docker.io/library/alpine:latest ./alpineThen add a directory as additional layer:
$ mkdir -p ./layer/bin
$ echo "echo 'Hello world!'" >./layer/bin/hello.sh
$ chmod a+x ./layer/bin/hello.sh
$ concil copy --add-layer ./layer --entry-point /bin/hello.sh ./alpine ./hello_worldThe container is finished and can be run:
$ concil_run.py ./hello_world