Tool that allows users to build secure and minimized oci-compliant containers from rpm files, yum repositories, or existing docker containers. These containers contain only the absolute minimum necessary to run the desired functionality, and are therefore easier to keep updated and more difficult to compromise.
Utility that allows a user to load a filesystem with debug tools into a running container. While some container debugging can be done from the host, people often embed debugging tools inside their container, which makes them less efficient and less secure. This provides a method to keep the tools separate, as well as allowing a user to later add new tools that they didn’t include when the container was built. It is built in rust for memory safety.
Implementation of the oci-runtime spec written in rust. The oci-runtime spec describes how to isolate a container process given a json configuration file. Isolation requires a lot of low-level interactions with the kernel, so rust’s memory safety provides some security advantages over an equivalent implementation in C.