A simple, yet powerful tool to turn traditional container/OS images into unprivileged sandboxes.
Enroot can be thought of as an enhanced unprivileged chroot(1).
It uses the same underlying technologies as containers but removes much
of the isolation they inherently provide while preserving filesystem
separation.
This approach is generally preferred in high-performance environments
or virtualized environments where portability and reproducibility is
important, but extra isolation is not warranted.
Enroot is also similar to other tools like proot(1) or fakeroot(1)
but instead relies on more recent features from the Linux kernel (i.e.
user and mount namespaces), and provides facilities to import well known
container image formats (e.g. Docker).
Usage example:
# Import and start an Ubuntu image from DockerHub$ enroot import docker://ubuntu
$ enroot create ubuntu.sqsh
$ enroot start ubuntu
It bundles libbsd, which is available under a dual "3-clause BSD" and
"ISC" license as well as makeself, which is available under a "GNU
General Public License v2.0" license. For details, see deps/libbsd/ and deps/makeself/.
When reporting a security issue, do not create an issue or file a pull request. Instead, disclose the issue responsibly by sending an email to psirt<at>nvidia.com.