Rust Container without “Linux”?

Esperantisto · March 20, 2024, 5:53pm

Linux containers contain no Linux, aka the actual Linux (i.e. the kernel) resides outside the container. What is needed inside the container is only what the program needs for interfacing to stuff, e.g. libraries and a network resolver. The need for libraries goes away with a static link, with musl or maybe relibc.

Is it possible to have a container image with only a Rust executable inside? What classes of problems can't be solved this way, and require at least parts of Linux userland? Is there work underway to reduce this, by replacing those things with pure Rust?

kornel · March 20, 2024, 6:06pm

You need a static binary to run it without the rest of the OS. Rust has the MUSL target for that.

ZiCog · March 20, 2024, 6:19pm

I have no idea why people use containers. I gather that half the motivation is to be able to wrap up all the dependencies of a project so that they are not subject to the whims and changes of whatever platform they run on.

I also get the idea that use of containers is motivated by the desire for isolation from the rest of the system. Limiting access to memory, files, network, peripherals etc. Basically security concerns. Whilst avoiding the overheads of a full blown virtual machine.

If you need the latter then a statically built Rust application does not get you there.

parasyte · March 20, 2024, 7:02pm

The other motivation is to avoid installing all of the dependencies to the local system. That much is about managing conflicting requirements. Just ask sysadmins why you should never sudo pip install and you'll get the whole gamut of rationale for not polluting the global namespace.

Containers isolate the application from the rest of the system not so much for security (it's kind of a nice side-effect, when it works) but because conflict management is a nightmare at scale. ^[1]

For OP: I agree that MUSL gets you a long way to the "single binary" deployment that you are looking for. One of the challenges I faced numerous times when attempting this is that too often one of my transient dependencies needs OpenSSL and it's a real slog to deal with. Sometimes you can configure feature flags on all of your dependencies to use rustls.

The alternative solution I have found is building the projects with a base container that already has MUSL-compiled libs like OpenSSL. This is the one I had success with: clux/muslrust: Docker environment for building musl based static linux rust binaries (github.com)

Nix solves the same set of problems in a very different way. For whatever reason, containers caught on first. ↩︎

ZiCog · March 20, 2024, 7:22pm

Yes, yes, that was the first reason for using containers I mentioned.

And yes indeed, SSL seems to be an unnecessary pain all the time.

Esperantisto · March 23, 2024, 7:37pm

You’re right that containers are not needed if they don’t contain any dependencies. OTOH in a world where you’re expected to provide your app for provisioning via Kubernetes or Openshift, that point becomes moot.

system · June 21, 2024, 7:38pm

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.

Topic		Replies	Views
Running rust as a service	5	670	June 13, 2024
Does anyone have experience building statically linked Rust apps in Docker containers? help	1	407	July 9, 2022
How to include a static .lib into a lib crate so that binary crates that depend on the lib crate don't need to static .lib? help	3	1418	August 31, 2023
Is there a way to compile Rust program without GLIBC?	5	626	December 23, 2024
Rust and Docker community	20	5295	October 22, 2022

Rust Container without “Linux”?

Related topics