Write all env vars to a single file for convenience

README.md

@@ -69,48 +69,43 @@ services:
   my-app:
     build: .
     # Privileged is required to setup the rootfs and jailer
-    # but permissions are dropped to a chroot in order to start your VM
+    # but permissions are dropped to non-root when starting Firecracker
     privileged: true
+    # Host networking is required to create a TAP device and update iptables
     network_mode: host
-    # Optionally run the VM rootfs and kernel in-memory to save storage wear
+    # Optionally run the VM rootfs and kernel in-memory
     tmpfs:
       - /tmp
       - /run
       - /srv
-    # Optionally mount a persistent data volume where a data drive will be created for the VM
+    # Optionally persist the data volume which is available as /dev/vdb in the VM
     volumes:
-      - persistent-data:/data
+      - data:/jail/data
 
 volumes:
-  persistent-data: {}
+  data: {}
 ```
 
-That's it! The firecracker runtime image will execute your rootfs as a MicroVM.
+That's it! The firecracker runtime image will execute your container as a MicroVM.
 
 Reference: <https://github.com/firecracker-microvm/firecracker/blob/main/docs/getting-started.md>
 
 ## Usage
 
 ### Environment Variables
 
-Since traditional container environment variables are not available in the VM, this wrapper will
-inject them into the VM rootfs and export them at runtime.
+Environment variables made available to the jailer runtime will be written to `/var/environment` in
+the VM for optional use.
 
-Provide environment variables or secrets with the `CTR_` prefix, like `CTR_SECRET_KEY=secretvalue`.
-
-If the values have spaces, or special characters, it is recommended to encode your secret values
-with `base64` and have your init service decode them.
-
-After being exported to the running process, the files are removed so they can safely
-be used for secrets as long as the init stage of your service calls `unset <SECRET_KEY>` after using them.
+For use with secrets, it is recommended to source the values as needed, and delete the file.
 
 ### Networking
 
 A TAP/TUN device will be automatically created for the guest to have network access.
 
 The IP address/netmask can be configured via `TAP_IP`, otherwise a random address in the 10.x.x.1/30 range will be assigned.
 
-The host interface for routing can be configured via `INTERFACE` otherwise the default route interface will be used.
+The host interface for routing can be configured via `HOST_IFACE` otherwise the default route interface will be used.
 
 In order to create the TAP device, and update iptables rules, the container jailer must be run in host networking mode.
 

docker-compose.test.yml

@@ -39,7 +39,6 @@ services:
       context: .
       target: alpine-test
     command: /usr/local/bin/healthcheck.sh
-    volumes: []
 
   debian-test:
     extends:
@@ -49,7 +48,6 @@ services:
       context: .
       target: debian-test
     command: /usr/local/bin/healthcheck.sh
-    volumes: []
 
   ubuntu-test:
     extends:
@@ -59,4 +57,3 @@ services:
       context: .
       target: ubuntu-test
     command: /usr/local/bin/healthcheck.sh
-    volumes: []

docker-compose.yml

@@ -12,5 +12,3 @@ services:
       - /tmp
       - /run
       - /srv
-    environment:
-      - CTR_SECRET_KEY=secretvalue

overlay/sbin/init

@@ -46,10 +46,7 @@ for dev in $(ip link list | awk /'^[0-9]+:/ {print $2}' | sed 's/://'); do
     ip route add default via "${ip%?}1" dev "$dev"
 done
 
-# Export secrets to the environment and remove the files
-if [ "$(ls /var/secrets)" ]; then
-    for f in /var/secrets/*; do
-        eval "export $(basename "${f}")=$(cat "${f}")"
-        rm -f "${f}"
-    done
-fi
+set +a
+# shellcheck disable=SC1091
+. /etc/profile || true
+set -a

overlay/usr/local/bin/healthcheck.sh

@@ -9,6 +9,8 @@ uname -a
 df -h
 lsblk
 
+. /var/environment
+
 ip link list
 ip route