| SYD-OCI(1) | General Commands Manual | SYD-OCI(1) |
NAME
syd-oci - OCI container runtime
SYNOPSIS
syd-oci [OPTIONS] [COMMAND]
DESCRIPTION
syd-oci is an OCI container runtime implementation for syd(1).
All common subcommands are supported: create, start, state, kill, delete, pause, resume, exec, run, list, ps, spec, events, features, update and checkpoint.
INTEGRATION
syd-oci is a thin wrapper around youki(1) that integrates the syd(1) sandbox into containers. It is compatible with docker(1) and podman(1). To get syd-oci, you should build syd(1) with the "oci" feature. To use syd-oci with docker(1) you have two options: Either start dockerd(8) manually with the option "--add-runtime=syd-oci=/bin/syd-oci", and do for example "docker run -it --runtime=syd-oci alpine" when starting containers, or add the following snippet to your "/etc/docker/daemon.json" file:
{
"runtimes": { "syd-oci": { "path": "/bin/syd-oci" } },
"default-runtime": "syd-oci"
}
You may need to adapt the path to syd-oci depending on your installation. To use with podman(1) is similar, just pass "--runtime=/bin/syd-oci" as an option to "podman run".
CONFIGURATION
The configuration directory of syd-oci is one of the following:
- For system-wide containers: "/etc/syd/oci"
- For rootless containers, one of the following:
- "${XDG_CONFIG_HOME}/syd/oci" where XDG_CONFIG_HOME is usually "~/.config".
- "${HOME}/.syd/oci" if XDG_CONFIG_HOME is not set.
syd-oci attempts to configure the syd(1) sandbox in the following order, and parses the first file or profile it locates and stops processing:
- If hostname and domainname is defined for the container, try to load "${SYD_CONFIG_DIR}/${hostname}.${domainname}.syd-3".
- If domainname is defined for the container, try to load "${SYD_CONFIG_DIR}/${domainname}.syd-3".
- If hostname is defined for the container, try to load "${SYD_CONFIG_DIR}/${hostname}.syd-3".
- Try to load "${SYD_CONFIG_DIR}/default.syd-3"
- Load the builtin "oci" profile. This profile is designed to be combined with pandora(1) and learning mode. See "syd-cat -p oci" for the list of rules.
SYD_CONFIG_DIR in the items above refer to the configuration directory. Refer to syd(5) for the syntax of syd(1) configuration files and syd(2) for a list of configuration items syd(1) understands. A vim(1) syntax highlighting file is also provided to easily edit syd(1) configuration files. Use "syd-cat file.syd-3" to check a syd(1) configuration file for syntax errors.
Finally, note that the "include" directives in the configuration files are searched within the container image. This allows you to provide additional image-based sandbox configuration. One possible use could be to store cryptographic checksums of all executables and their dependent dynamic libraries in an include file in the image and then use this with Force Sandboxing for binary verification, see syd(7) for more information on Force Sandboxing.
SEE ALSO
syd(1), syd(2), syd(5), syd(7), pandora(1), docker(1), dockerd(8), podman(1), youki(1)
- syd homepage: https://sydbox.exherbolinux.org/
- youki homepage: https://containers.github.io/youki/
AUTHORS
Maintained by Ali Polatel. Up-to-date sources can be found at https://gitlab.exherbo.org/sydbox/sydbox.git and bugs/patches can be submitted to https://gitlab.exherbo.org/groups/sydbox/-/issues. Discuss in #sydbox on Libera Chat.
| 2025-02-14 |