Skip to content

l3montree-dev/container-workshop

BranchesTags

Repository files navigation

Container Developer Workshop

A hands-on workshop covering OCI image internals, container hardening, and Linux namespaces.

Section What you learn
understanding-oci-images/ Layers, whiteouts, secrets, multi-stage builds
container-hardening/ RCE exploitation, root vs. non-root, distroless, read-only filesystems
sbom-generation/ SBOM trust boundaries — ghost packages and phantom binaries
linux-namespaces/ How containers isolate processes at the kernel level

Setup

All tools are provided through a Nix dev shell (flake.nix). Two paths depending on your OS:

  • Linux — run nix develop directly in the repo root.
  • macOS — the Linux namespace exercises require a real Linux kernel. Use Lima to spin up a lightweight Debian VM and run everything inside it.

macOS: Lima + Nix

1 — Install Nix

sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install)

Restart your shell, then verify:

nix --version

2 — Install Lima

nix-env -iA nixpkgs.lima
# or, if you prefer Homebrew:
brew install lima

3 — Start the workshop VM

The repo ships a workshop.yaml Lima template — a minimal Debian 12 VM with your home directory mounted read-write.

limactl start workshop.yaml

First start downloads the Debian image and boots the VM (~1 min). Subsequent starts are instant.

4 — Install Nix inside the VM

Open a shell in the VM and run each step:

limactl shell workshop

Install Nix:

sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --no-daemon

Enable flakes:

sudo mkdir -p /etc/nix
echo 'experimental-features = nix-command flakes' | sudo tee -a /etc/nix/nix.conf

Reload your shell to pick up the Nix profile:

exec $SHELL -l

Verify:

nix --version

5 — Enter the dev shell

# Still inside the VM shell:
cd ~/path/to/container-developer-workshop
nix develop

nix develop installs and activates all tools: docker, jq, bun, nc, gnutar, container-hardening-work-bench, plus the Linux-only namespace tools (unshare, nsenter, newuidmap, go).

VM lifecycle

limactl stop workshop      # pause the VM
limactl start workshop     # resume
limactl delete workshop    # remove entirely

Linux

nix develop

That's it. All tools including the namespace utilities are available immediately.

Without Nix

See PREREQUISITES.md for manual installation instructions for each tool.

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages