A rootless container running vlmcsd.
Since March 2023, vlmcsd images has been upgraded to a rootless
container, it based on "Distroless" image and uses Buildah as a container compilation engine. Why do we use them?.
Pull this image:
docker pull ghcr.io/mogeko/vlmcsd:latest
Run with docker cli:
docker run -d --name vlmcsd -p 1688:1688 --restart unless-stopped ghcr.io/mogeko/vlmcsd:latest
Run with docker-compose:
---
version: 2.1
services:
vlmcsd:
image: ghcr.io/mogeko/vlmcsd:latest
container_name: vlmcsd
ports:
- 1688:1688
restart: unless-stopped
Container images are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate <external>:<internal>
respectively. For example, -p 8080:80
would expose port 80
from inside the container to be accessible from the host's IP on port 8080
outside the container.
Parameter | Function |
---|---|
-p 1688 |
tcp connection port |
"Distroless" container image is an application-centered OCI container image launched by Google for the Kubernetes project. It contain only your application and its runtime dependencies. They do NOT contain package managers, shells or any other programs you would expect to find in a standard Linux distribution (Your application will be the only executable program in the entire container image).
Compared with the traditional complete Debian container image, Distroless has an unparalleled size advantage, its minimum is only 2MB, less than 2% of the Debian (124MB). Compared with Alpine Linux, it has a smaller attack surface and better compatibility (based on Debian and glibc
).
Image | Size | rootless? | shell? | package-manager? | other programs? | C library |
---|---|---|---|---|---|---|
distroless | 12.6MB | support | ❌ | ❌ | ❌ | glibc |
debian | 118MB | support? | bash |
apt-get |
✅ | glibc |
alpine | 7.51MB | support? | bash |
apk |
✅ | musl |
As for Buildah. It is a container mirror compilation engine launched by Red Hat. Its biggest selling point is that it allows you to create a container images in a completely unprivileged environment, that is "rootless". With the help of Buildah, we were able to put the entire life cycle of the container's compilation and operation in the user namespace. So as to protect our digital security.
https://forums.mydigitallife.net/threads/emulated-kms-servers-on-non-windows-platforms.50234
https://www.upload.ee/files/11363704/vlmcsd-1113-2020-03-28-Hotbird64.7z.html
The code in this project is released under the MIT License.