This repository provides educational material and sample code that demystify how containerization works and how container components fit together in practice. It walks through the responsibilities of an image format, registry, and runtime, and shows how a minimal runtime can assemble an isolated process with the right filesystem view, environment, and entrypoint. The samples highlight security hardening considerations—such as process isolation, filesystem scoping, and least-privilege execution—so that containers are not just portable, but safer by default. Developers get a blueprint for taking standard container images and running them in a way that respects platform conventions, tooling, and policies. The emphasis is on clarity and standards alignment rather than building a production-grade engine, which makes the code ideal for learning and experimentation.
Features
- Manage OCI images: pull, push, storage formats, etc.
- Interact with remote registries (authentication, fetching)
- Create and populate ext4 file systems inside container VMs
- Interact with the Netlink socket family for container networking and low-level configuration
- Spawn lightweight virtual machines per container, with an optimized Linux kernel for fast boot times
- Support for Rosetta 2 for running linux/amd64 containers on Apple Silicon