Emilua is an execution engine. As a runtime for your Lua programs

Summary

A generic C-powered & Lua-driven container runtime. Many container runtimes out there focus on specific containerization technologies such as Linux namespaces, but Emilua acts as a generic container runtime that supports different kernel technologies: Linux namespaces. FreeBSD jails. Many container runtimes (e.g. bubblewrap, nsjail) are CLI-driven and give little room for flexibility. The standard tool to automate CLI usage is BASH. However BASH cannot be used to restore flexibility here (it can only automate CLI arguments). BASH scripts are a poor match for the internal container setup phases, and that’s not usually supported. Even when BASH is supported for the setup phases (e.g. LXC pre-mount, and net-up scripts), that’s usually very restricted in scope given how inappropriate BASH is to drive the setup phases of a container. BASH scripts give you more worries to bring up a container, not less: Poor synchronization primitives to drive the complex setup required to use new Linux namespaces. BASH only gives you pipes and files. Files can’t even be used in all steps of this setup (e.g. mount namespaces and pivot-root). Emilua will give you a rich pool of IPC primitives not available to BASH scripts (check the documentation). You must be extra careful to not call any binaries from the container image as one must always assume these images are compromised (that’s the whole point of isolating software within a container to begin with), but BASH can’t do anything on its own and must always rely on external tools (it’s probably a good idea to rely on static binaries of busybox as well to not accidentally invoke compromised shared libraries from the container image). Emilua is safer as it gives you access to a subset of the POSIX API plus a few extensions (e.g. mkdir, mount) that calls the syscalls directly (i.e. no container binaries ever involved) within a Lua script to initialize the container namespaces. The pragmatic solution is to never involve BASH in the setup of ...