chroot-distro 2.3.2__tar.gz → 2.4.1__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (144) hide show
  1. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/.github/workflows/ci.yml +2 -2
  2. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/.github/workflows/codeql.yml +1 -1
  3. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/PKG-INFO +125 -185
  4. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/README.md +124 -184
  5. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/check-before-commit.sh +9 -9
  6. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/pyproject.toml +1 -1
  7. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/help/pages.py +36 -18
  8. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/info.py +100 -14
  9. chroot_distro-2.4.1/src/chroot_distro/commands/kernel_config.py +323 -0
  10. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/kill.py +18 -1
  11. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/login/__init__.py +315 -22
  12. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/login/bindings.py +104 -21
  13. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/login/env.py +0 -1
  14. chroot_distro-2.4.1/src/chroot_distro/commands/ps.py +132 -0
  15. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/completions/_chroot-distro +3 -3
  16. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/completions/chroot-distro.bash +1 -1
  17. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/completions/chroot-distro.fish +4 -4
  18. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/constants.py +1 -0
  19. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/docker/transport.py +6 -6
  20. chroot_distro-2.4.1/src/chroot_distro/helpers/max_iso_holder.py +167 -0
  21. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/mount_manager.py +126 -44
  22. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/namespace.py +195 -17
  23. chroot_distro-2.4.1/src/chroot_distro/helpers/session_registry.py +212 -0
  24. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/parser.py +9 -3
  25. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/paths.py +13 -1
  26. chroot_distro-2.4.1/tests/unit/test_kernel_config.py +186 -0
  27. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_kill.py +87 -8
  28. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_login_helpers.py +283 -2
  29. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_mount_manager_ns.py +14 -0
  30. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_namespace.py +5 -1
  31. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_parser.py +25 -0
  32. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_paths.py +9 -0
  33. chroot_distro-2.4.1/tests/unit/test_session.py +264 -0
  34. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/uv.lock +1 -1
  35. chroot_distro-2.3.2/check-config.sh +0 -429
  36. chroot_distro-2.3.2/src/chroot_distro/commands/ps.py +0 -56
  37. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/.editorconfig +0 -0
  38. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/.github/codeql/codeql-config.yml +0 -0
  39. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/.github/dependabot.yml +0 -0
  40. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/.github/workflows/publish.yml +0 -0
  41. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/.gitignore +0 -0
  42. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/.python-version +0 -0
  43. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/LICENSE +0 -0
  44. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/__init__.py +0 -0
  45. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/arch.py +0 -0
  46. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/atomic.py +0 -0
  47. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/cli.py +0 -0
  48. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/backup.py +0 -0
  49. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/build.py +0 -0
  50. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/clear_cache.py +0 -0
  51. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/copy.py +0 -0
  52. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/diff.py +0 -0
  53. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/help/__init__.py +0 -0
  54. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/help/render.py +0 -0
  55. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/install.py +0 -0
  56. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/install_local.py +0 -0
  57. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/list_cmd.py +0 -0
  58. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/login/chroot_cmd.py +0 -0
  59. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/login/passwd.py +0 -0
  60. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/push.py +0 -0
  61. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/remove.py +0 -0
  62. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/rename.py +0 -0
  63. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/reset.py +0 -0
  64. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/restore.py +0 -0
  65. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/run.py +0 -0
  66. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/search.py +0 -0
  67. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/sync.py +0 -0
  68. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/commands/unmount.py +0 -0
  69. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/elevate.py +0 -0
  70. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/exceptions.py +0 -0
  71. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/__init__.py +0 -0
  72. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/android.py +0 -0
  73. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/build_cache.py +0 -0
  74. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/build_engine/__init__.py +0 -0
  75. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/build_engine/constants.py +0 -0
  76. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/build_engine/copy_step.py +0 -0
  77. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/build_engine/dockerignore.py +0 -0
  78. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/build_engine/engine.py +0 -0
  79. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/build_engine/errors.py +0 -0
  80. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/build_engine/handlers.py +0 -0
  81. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/build_engine/parsing.py +0 -0
  82. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/build_engine/run_step.py +0 -0
  83. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/build_engine/stage.py +0 -0
  84. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/build_engine/users.py +0 -0
  85. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/display.py +0 -0
  86. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/docker/__init__.py +0 -0
  87. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/docker/cache.py +0 -0
  88. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/docker/layers.py +0 -0
  89. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/docker/media.py +0 -0
  90. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/docker/pull.py +0 -0
  91. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/docker/push.py +0 -0
  92. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/docker/refs.py +0 -0
  93. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/dockerfile.py +0 -0
  94. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/download.py +0 -0
  95. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/gpu.py +0 -0
  96. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/layer_diff.py +0 -0
  97. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/nvidia.py +0 -0
  98. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/oci_writer.py +0 -0
  99. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/rootfs.py +0 -0
  100. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/session.py +0 -0
  101. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/sound.py +0 -0
  102. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/tar_extract.py +0 -0
  103. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/wayland.py +0 -0
  104. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/helpers/x11.py +0 -0
  105. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/locking.py +0 -0
  106. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/message.py +0 -0
  107. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/names.py +0 -0
  108. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/progress.py +0 -0
  109. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/py.typed +0 -0
  110. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/src/chroot_distro/rate_limit.py +0 -0
  111. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/conftest.py +0 -0
  112. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_android.py +0 -0
  113. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_arch.py +0 -0
  114. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_backup_restore.py +0 -0
  115. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_bind_options.py +0 -0
  116. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_cli.py +0 -0
  117. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_constants.py +0 -0
  118. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_diff_baseline_cache.py +0 -0
  119. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_display.py +0 -0
  120. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_display_sockets.py +0 -0
  121. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_docker_refs.py +0 -0
  122. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_dockerfile.py +0 -0
  123. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_download_algorithms.py +0 -0
  124. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_download_blob_multi.py +0 -0
  125. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_download_multi.py +0 -0
  126. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_elevate.py +0 -0
  127. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_gpu.py +0 -0
  128. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_info.py +0 -0
  129. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_install.py +0 -0
  130. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_install_local.py +0 -0
  131. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_layer_diff.py +0 -0
  132. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_list.py +0 -0
  133. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_locking.py +0 -0
  134. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_message.py +0 -0
  135. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_names.py +0 -0
  136. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_progress.py +0 -0
  137. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_push_chunked.py +0 -0
  138. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_remove.py +0 -0
  139. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_rootfs.py +0 -0
  140. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_sound.py +0 -0
  141. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_tar_extract.py +0 -0
  142. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_unmount.py +0 -0
  143. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_wayland.py +0 -0
  144. {chroot_distro-2.3.2 → chroot_distro-2.4.1}/tests/unit/test_x11.py +0 -0
@@ -13,7 +13,7 @@ jobs:
13
13
 
14
14
  steps:
15
15
  - name: Checkout Code
16
- uses: actions/checkout@v4
16
+ uses: actions/checkout@v7
17
17
 
18
18
  - name: Set up Python
19
19
  uses: actions/setup-python@v6
@@ -47,7 +47,7 @@ jobs:
47
47
 
48
48
  steps:
49
49
  - name: Checkout Code
50
- uses: actions/checkout@v4
50
+ uses: actions/checkout@v7
51
51
 
52
52
  - name: Set up Python ${{ matrix.python-version }}
53
53
  uses: actions/setup-python@v6
@@ -27,7 +27,7 @@ jobs:
27
27
 
28
28
  steps:
29
29
  - name: Checkout repository
30
- uses: actions/checkout@v4
30
+ uses: actions/checkout@v7
31
31
 
32
32
  - name: Initialize CodeQL
33
33
  uses: github/codeql-action/init@v4
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: chroot-distro
3
- Version: 2.3.2
3
+ Version: 2.4.1
4
4
  Summary: chroot-distro is a lightweight Linux container management utility built around chroot.
5
5
  Project-URL: Homepage, https://github.com/sabamdarif/chroot-distro
6
6
  Project-URL: Repository, https://github.com/sabamdarif/chroot-distro
@@ -34,24 +34,13 @@ Description-Content-Type: text/markdown
34
34
  [![License](https://img.shields.io/github/license/sabamdarif/chroot-distro?style=flat)](LICENSE)
35
35
 
36
36
 
37
- Chroot-Distro is a utility for managing rootful Linux containers in
38
- [Termux](https://termux.dev) and on regular Linux hosts. It uses the
39
- host kernel's native `chroot` and bind mounts (`mount --bind`) to provide a
40
- high-performance, near-native Linux environment.
37
+ Chroot-Distro is a utility for managing rootful Linux containers in Termux and on standard Linux hosts. It uses the host kernel's native `chroot` and bind mounts (`mount --bind`) to provide a high-performance, near-native Linux environment.
41
38
 
42
- Containers are created by pulling Docker/OCI images directly from
43
- Docker Hub or any compatible registry — or by extracting a local
44
- tarball / OCI image archive. The container filesystem is assembled from
45
- the image layers and stored locally, ready to be entered at any time.
39
+ Containers are created by pulling Docker/OCI images directly from Docker Hub (or any compatible registry), or by extracting a local tarball / OCI image archive. The container filesystem is assembled from the image layers and stored locally, ready to be entered at any time.
46
40
 
47
- Chroot-Distro can also **build** OCI images from a Dockerfile (no Docker
48
- daemon required), storing the result in the local manifest cache or
49
- exporting it as a standalone OCI tarball.
41
+ Chroot-Distro can also **build** OCI images from a Dockerfile (no Docker daemon required), storing the result in the local manifest cache or exporting it as a standalone OCI tarball.
50
42
 
51
- Unlike [proot-distro](https://github.com/termux/proot-distro) (which is
52
- rootless via `proot`), Chroot-Distro **requires root privileges** on the host. Mutating commands
53
- automatically re-launch themselves via `sudo`, `doas`, `pkexec`, or `su`
54
- when needed (see [First-run check](#first-run-check)).
43
+ Chroot-Distro requires **root privileges** on the host. Mutating commands automatically re-execute themselves via `sudo`, `doas`, `pkexec`, or `su` when needed (see [First-run check](#first-run-check)).
55
44
 
56
45
  ---
57
46
 
@@ -65,7 +54,7 @@ when needed (see [First-run check](#first-run-check)).
65
54
  * [`login`](#login--start-a-shell-inside-a-container)
66
55
  * [`run`](#run--run-the-image-defined-entrypoint)
67
56
  * [`list`](#list--list-installed-containers)
68
- * [`ps`](#ps--list-running-containers)
57
+ * [`ps`](#ps--list-active-sessions)
69
58
  * [`search`](#search--search-docker-hub)
70
59
  * [`diff`](#diff--inspect-filesystem-changes)
71
60
  * [`remove`](#remove--delete-a-container)
@@ -91,26 +80,7 @@ when needed (see [First-run check](#first-run-check)).
91
80
 
92
81
  ## Introduction
93
82
 
94
- Chroot-Distro lets you run a full Linux userland — Ubuntu, Debian,
95
- Alpine, Arch, openSUSE, distroless server images, anything available as
96
- a Docker/OCI image — on top of Termux on a rooted Android device, or on
97
- top of a regular Linux distribution, **with** native kernel performance,
98
- **without** the overhead of `proot`'s `ptrace` interception, and
99
- **without** a Docker daemon.
100
-
101
- Typical use cases:
102
-
103
- - Running a desktop-class Linux distribution on a phone or tablet at
104
- near-native speed (rooted device required on Termux).
105
- - Disk-intensive and compile workloads (GCC/Clang, Rust, Go) without
106
- `proot` slowdowns.
107
- - Spinning up server software (Nginx, Nextcloud, PostgreSQL, etc.) on
108
- Android by reusing the same OCI images you'd run on a server.
109
- - Building custom OCI images from a Dockerfile on-device, without a
110
- Docker daemon — and pushing them to Docker Hub, GHCR, or any
111
- OCI-compatible registry.
112
- - Trying a distribution non-destructively: install, experiment,
113
- `chroot-distro remove` when done.
83
+ Chroot-Distro lets you run a full Linux userland — Ubuntu, Debian, Alpine, Arch, openSUSE, distroless server images, or anything available as a Docker/OCI image — on top of Termux on a rooted Android device, or on top of a regular Linux distribution, with native kernel performance and without needing a Docker daemon.
114
84
 
115
85
  ### Installation
116
86
 
@@ -156,13 +126,9 @@ pip install .
156
126
 
157
127
  ### First-run check
158
128
 
159
- On startup, commands that modify containers or mounts verify that the
160
- effective UID is `0`. If not, Chroot-Distro auto-elevates when not root by
161
- re-executing itself using, in order: `sudo`, `doas`, `pkexec`, or `su`.
129
+ On startup, commands that modify containers or mounts verify that the effective UID is `0`. If not, Chroot-Distro auto-elevates when not root by re-executing itself using, in order: `sudo`, `doas`, `pkexec`, or `su`.
162
130
 
163
- `list`, `ps`, `search`, `info`, and `help` do not require root on Termux and
164
- are never re-executed. On regular Linux, `list`, `ps`, and `info` still
165
- elevate to inspect root-owned data.
131
+ `list`, `ps`, `search`, `info`, and `help` do not require root on Termux and are run immediately. On regular Linux, `list`, `ps`, and `info` still elevate to inspect root-owned data.
166
132
 
167
133
  ### Quick start
168
134
 
@@ -192,7 +158,7 @@ chroot-distro push myuser/myapp:1.0
192
158
  # Rebuild from scratch (loses all in-container data)
193
159
  chroot-distro reset ubuntu
194
160
 
195
- # List only the containers that are currently running
161
+ # List active sessions (PID, container, type, user, uptime, command)
196
162
  chroot-distro ps
197
163
 
198
164
  # Search Docker Hub for an image
@@ -207,8 +173,9 @@ chroot-distro diff ubuntu
207
173
  # Unmount bindings and end active sessions
208
174
  chroot-distro unmount ubuntu
209
175
 
210
- # Forcibly stop a running container (SIGKILL + unmount)
176
+ # Forcibly stop a running container (SIGKILL + unmount), by name or session PID
211
177
  chroot-distro kill ubuntu
178
+ chroot-distro kill 12345
212
179
 
213
180
  # Permanently remove a container (unmounts active sessions first)
214
181
  chroot-distro remove ubuntu
@@ -267,8 +234,7 @@ discovered from each registry's `/v2/` challenge.
267
234
 
268
235
  **Private images** require credentials. Set `CD_DOCKER_AUTH` to
269
236
  `username:password` (or `username:PAT`) before running `install`. The
270
- colon separator is mandatory. `PD_DOCKER_AUTH` is accepted as a fallback
271
- for compatibility with proot-distro:
237
+ colon separator is mandatory:
272
238
 
273
239
  ```sh
274
240
  export CD_DOCKER_AUTH=myuser:mypassword
@@ -286,12 +252,6 @@ Missing layers are downloaded in parallel (default **4** workers). Set
286
252
  `CD_DOWNLOAD_WORKERS` to tune concurrency (integer **1–10**; values above
287
253
  10 are capped).
288
254
 
289
- On Termux, `list` does not elevate privileges. If containers were
290
- installed as root, run once as root to fix legacy manifest permissions:
291
- `su -c 'chmod -R a+r $PREFIX/var/lib/chroot-distro/containers/*/manifest.json'`
292
- (or reinstall). New installs write `manifest.json` as world-readable
293
- (`0644`).
294
-
295
255
  **Examples:**
296
256
 
297
257
  ```sh
@@ -427,8 +387,7 @@ required.
427
387
 
428
388
  **Authentication:**
429
389
 
430
- Set `CD_DOCKER_AUTH=username:password` (colon required). `PD_DOCKER_AUTH`
431
- is accepted as a fallback:
390
+ Set `CD_DOCKER_AUTH=username:password` (colon required):
432
391
 
433
392
  ```sh
434
393
  chroot-distro build -t myuser/myapp:1.0 ./mycontext
@@ -468,99 +427,33 @@ chroot-distro login ubuntu --get-chroot-cmd
468
427
  | Option | Description |
469
428
  |---|---|
470
429
  | `-u`, `--user USER` | Log in as USER (default: `root`). Accepts `name`, numeric `uid`, `name:group`, or `uid:gid`. |
471
- | `--isolated` | Reduce host exposure and enable namespace isolation (mount, PID, UTS, IPC, and cgroup when supported, via `unshare`/`nsenter`). On Termux: also skip Android system, storage, and `$PREFIX` binds unless you opt in with `--shared-*` or `--bind`. (Fresh `/tmp` and `/run` are the default in every mode now, not just `--isolated`.) Mutually exclusive with `--minimal`. To get the same namespace isolation **without** reducing the mount set, set `CD_USE_NS=1` instead (see [Environment variables](#environment-variables)). |
430
+ | `--isolated` | Reduce host exposure and enable namespace isolation (mount, PID, UTS, IPC, and cgroup when supported, via `unshare`/`nsenter`). Binds **no** host paths at all `--shared-home`, `--shared-tmp`, `--shared-display`/`--shared-x11`, and `--bind` are all ignored (with a warning) when combined with `--isolated`, since there's nothing for them to bind into. Mutually exclusive with `--minimal`. To get the same namespace isolation **without** reducing the mount set (so `--shared-*`/`--bind` keep working), set `CD_USE_NS=1` instead (see [Environment variables](#environment-variables)). |
472
431
  | `--minimal` | Bare minimum chroot: core pseudo-filesystems only (`/dev`, `/proc`, `/sys`, plus `/run`, `/dev/pts`, `/dev/shm` when present). Stripped guest environment. Mutually exclusive with `--isolated`. |
473
- | `--shared-home` | Bind the invoking user's host home into the guest home (or `/root` for root). On Termux, binds `TERMUX_HOME`. |
474
- | `--shared-tmp` | Bind host tmp (`/tmp` on Linux, `$PREFIX/tmp` on Termux) to `/tmp` in the guest. Opt-in only: by default the container gets its own fresh `/tmp`, not the host's. |
475
- | `--shared-display` | Share the host display server (X11 and Wayland), audio (PulseAudio/PipeWire), and D-Bus session bus with the container. Binds only the specific session sockets, not the host's whole `/run`. Opt-in only. `--shared-x11` is accepted as a backward-compatible alias. |
476
- | `-b`, `--bind SRC[:DST]` | Bind-mount a custom host path (repeatable). `DST` must be an absolute guest path. |
432
+ | `--shared-home` | Bind the invoking user's host home into the guest home (or `/root` for root). On Termux, binds `TERMUX_HOME`. Ignored under `--isolated`. |
433
+ | `--shared-tmp` | Bind host tmp (`/tmp` on Linux, `$PREFIX/tmp` on Termux) to `/tmp` in the guest. Opt-in only: by default the container gets its own fresh `/tmp`, not the host's. Ignored under `--isolated`. |
434
+ | `--shared-display` | Share the host display server (X11 and Wayland), audio (PulseAudio/PipeWire), and D-Bus session bus with the container. Binds only the specific session sockets, not the host's whole `/run`. Opt-in only. `--shared-x11` is accepted as a backward-compatible alias. Ignored under `--isolated`. |
435
+ | `-b`, `--bind SRC[:DST]` | Bind-mount a custom host path (repeatable). `DST` must be an absolute guest path. Ignored under `--isolated`. |
477
436
  | `-w`, `--work-dir PATH` | Initial working directory (default: user's home). |
478
437
  | `-e`, `--env VAR=VALUE` | Set a guest environment variable (repeatable). |
479
438
  | `--get-chroot-cmd` | Print the fully assembled `env` + `chroot` command line and exit. |
480
439
 
481
440
  #### Display sharing
482
- Display sharing is active when using `--shared-display` (or `--shared-x11` as a backward-compatible alias).
483
- > It work best on regular Linux and in Termux it doesn't have all the options
484
-
485
- By default the container is isolated from the host's runtime state: its
486
- `/tmp` and `/run` are fresh and empty, so host temp files and host runtime
487
- sockets (D-Bus, PulseAudio, etc.) do not leak in. `/proc`, `/sys`, `/dev`,
488
- and `/dev/pts` are still bound from the host for hardware/USB access.
489
- `--shared-display` is the only way to expose the GUI/audio/D-Bus sockets;
490
- it binds **only** the specific sockets needed, never the whole `/run`.
491
-
492
- Display sharing forwards four subsystems from the invoking host session into
493
- the container:
494
-
495
- **X11**
496
- - `/tmp/.X11-unix` socket directory is bind-mounted into the guest.
497
- - `DISPLAY`, `XAUTHORITY`, and `XDG_RUNTIME_DIR` are forwarded.
498
- - The X authority file is bind-mounted when it lives outside `/run`.
499
- - Compositors such as niri with xwayland-satellite often authenticate X11
500
- clients by Unix-socket UID. Chroot-distro aligns the guest user's UID to
501
- the invoking host user when needed. If the guest cannot read the cookie
502
- file, it is copied to `/var/tmp/.chroot-distro-xauthority` (requires
503
- `xauth` on the host). If that fails, use `--shared-home`,
504
- `xhost +SI:localuser:GUEST`, or a UID-matched user.
505
-
506
- **Wayland**
507
- - `WAYLAND_DISPLAY` is forwarded (fallback: `wayland-0` if socket exists).
508
- - `XDG_SESSION_TYPE`, `XDG_CURRENT_DESKTOP`, and `DESKTOP_SESSION` are
509
- forwarded from the host session.
510
- - The host's `XDG_RUNTIME_DIR` (`/run/user/<uid>`) is bind-mounted whole
511
- with **rslave** propagation, so every session socket (Wayland,
512
- PulseAudio, PipeWire, D-Bus) is exposed and sockets created after mount
513
- stay visible — while the host's broad `/run` stays hidden. The system
514
- D-Bus socket (`/run/dbus/system_bus_socket`) is bound individually.
515
-
516
- > Note: logging in as **root** with `--shared-display` cannot use the
517
- > session D-Bus bus (it rejects uid 0 with "Connection reset by peer");
518
- > log in as a UID-matched normal user with `--user` for a working session
519
- > bus. The system bus works for root.
520
-
521
- **Sound (PulseAudio / PipeWire)**
522
- - `PULSE_SERVER` is forwarded (fallback: `unix:/run/user/<uid>/pulse/native`
523
- if the PulseAudio socket exists).
524
- - PipeWire apps discover their socket automatically via `XDG_RUNTIME_DIR`;
525
- no extra env var is needed.
526
-
527
- **D-Bus**
528
- - `DBUS_SESSION_BUS_ADDRESS` is forwarded (fallback:
529
- `unix:path=/run/user/<uid>/bus` if the socket exists).
530
-
531
- Use `--isolated` to skip all display sharing, or `--minimal` for only core
532
- pseudo-filesystems. Home is never bind-mounted unless you pass `--shared-home`.
441
+
442
+ Pass `--shared-display` (or `--shared-x11`) to use your host's screen,
443
+ audio, and D-Bus session inside the container — handy for running GUI
444
+ apps. It's opt-in: without this flag, none of that is shared, and `/tmp`
445
+ and `/run` stay isolated from the host. It works best on regular Linux;
446
+ on Termux only some of this is available. `--shared-display` (like every
447
+ `--shared-*` flag) is ignored if you also pass `--isolated`, since
448
+ `--isolated` binds no host paths at all drop `--isolated`, or use
449
+ `CD_USE_NS=1` instead, if you need display sharing alongside namespace
450
+ isolation.
533
451
 
534
452
  #### GPU acceleration (auto-detected)
535
453
 
536
- Chroot-distro automatically enables hardware-accelerated GPU rendering at
537
- login **no flag needed**, same tier as USB and general hardware access.
538
- GPU passthrough is independent of `--shared-display`. (It doesn't work on
539
- Termux.)
540
-
541
- **AMD and Intel** (open-source Mesa drivers)
542
- - Works out of the box. Host `/dev` (including `/dev/dri/` render nodes) is
543
- bind-mounted into the container. The host's Vulkan/EGL/OpenCL ICD and
544
- loader-config descriptors are bound read-only so the guest's own Mesa
545
- stack can enumerate the hardware. Driver `.so` files are **not** bound:
546
- shadowing the container's own Mesa libraries corrupts its loader.
547
-
548
- **NVIDIA — native Linux** (proprietary driver)
549
- - Detection: `/dev/nvidia0` exists, or `libcuda*.so*` / `libnvidia*.so*`
550
- found under `/usr/lib*/`.
551
- - Bind-mounts: `/dev/nvidia*` device nodes, `/dev/dri/card*` and
552
- `/dev/dri/renderD*` DRM nodes, host NVIDIA `.so` libraries mapped to the
553
- correct guest library directory (multi-arch aware), NVIDIA config and ICD
554
- files (`/etc/`, EGL/Vulkan JSON descriptors, OpenCL ICD), and NVIDIA CLI
555
- tools (`nvidia-smi`, etc.). Vendor-neutral GLVND/GBM dispatch libraries
556
- (`libGL`, `libEGL`, `libGLX`, `libgbm`, …) and zero-byte sources are never
557
- bound, so the container's own loader is not shadowed.
558
- - Runs independent of `--shared-display`: the GPU works whether or not the
559
- display is shared.
560
- - Environment variables set: `__NV_PRIME_RENDER_OFFLOAD=1`,
561
- `__GLX_VENDOR_LIBRARY_NAME=nvidia`.
562
- - Guest `ldconfig` is run inside the chroot to refresh the shared library
563
- cache after the new libraries are bind-mounted.
454
+ If you have a GPU (AMD, Intel, or NVIDIA), Chroot-Distro automatically
455
+ sets it up for hardware-accelerated rendering no flag needed. This
456
+ works independently of display sharing and isn't available on Termux.
564
457
 
565
458
  #### Namespace isolation (`--isolated` and `CD_USE_NS`)
566
459
 
@@ -572,16 +465,17 @@ when the kernel supports it, skipped otherwise); the **mount/PID/UTS/IPC**
572
465
  set is **all-or-nothing**: chroot-distro probes that set first, and if any
573
466
  one of them is unsupported on the kernel it acquires none of them and falls
574
467
  back fully to a non-isolated login (with a warning naming the missing
575
- namespace), so a session is never left half-isolated. This is inspired by
576
- [Ubuntu-Chroot](Ubuntu-Chroot/tools/chroot.sh) and is **not** a full
468
+ namespace), so a session is never left half-isolated. This is **not** a full
577
469
  container runtime: there is no network namespace, no user namespace
578
470
  mapping, and no image layering.
579
471
 
580
- `--isolated` couples two things: namespace isolation **and** a reduced set
581
- of host bind mounts (it skips the Android system/storage/`$PREFIX` binds on
582
- Termux, and `/tmp`/display sharing on Linux, unless re-enabled with
583
- `--shared-*` / `--bind`). If you want **only** the namespace isolation
584
- while keeping every default mount, set the `CD_USE_NS=1` environment
472
+ `--isolated` couples two things: namespace isolation **and** binding no
473
+ host paths at all no Android system/storage/`$PREFIX` binds on Termux,
474
+ no `/tmp` sharing, no display sharing on Linux, and no `--shared-*` /
475
+ `--bind` flags take effect (they're accepted but ignored, with a
476
+ warning, since there's nothing to bind into). If you want **only** the
477
+ namespace isolation while keeping every default mount — and keeping
478
+ `--shared-*` / `--bind` working — set the `CD_USE_NS=1` environment
585
479
  variable instead: every `login`/`run` then runs in the same
586
480
  mount/PID/UTS/IPC/cgroup namespaces but with the full default mount set
587
481
  intact. `CD_USE_NS` accepts `1`/`true`/`yes`/`on`.
@@ -733,20 +627,41 @@ printed.
733
627
 
734
628
  ---
735
629
 
736
- ### `ps` — List running containers
630
+ ### `ps` — List active sessions
737
631
 
738
632
  ```
739
633
  chroot-distro ps [OPTIONS]
740
634
  ```
741
635
 
742
- List only containers that are currently **running** those with a live
743
- process inside their chroot or an active namespace holder. Columns match
744
- `list` (rootfs size, image source, status). Does not require root.
636
+ List every active container session one row per live `login` or `run`.
637
+ Each session is tracked by a per-PID JSON file under
638
+ `$RUNTIME_DIR/sessions/` with flock-based liveness detection (immune to
639
+ PID recycling and crash-safe). Does not require root.
640
+
641
+ Output columns:
642
+
643
+ | Column | Description |
644
+ |---|---|
645
+ | `PID` | Host PID of the session's chroot process. |
646
+ | `CONTAINER` | Container name. |
647
+ | `TYPE` | `login` or `run` (recorded at session start). |
648
+ | `USER` | User the session runs as. |
649
+ | `UPTIME` | Elapsed time since session start (e.g. `3m12s`, `1h04m`). |
650
+ | `COMMAND` | Inner command line (shell-quoted, truncated to terminal width). |
651
+
652
+ Example output:
653
+
654
+ ```
655
+ PID CONTAINER TYPE USER UPTIME COMMAND
656
+ 12345 ubuntu login root 3m12s /bin/bash -l
657
+ 12388 debian run* root 0m44s nginx -g 'daemon off;'
658
+
659
+ * detached session
660
+ ```
745
661
 
746
662
  | Option | Description |
747
663
  |---|---|
748
- | `-a`, `--all` | Show all installed containers, not just running ones. |
749
- | `-q`, `--quiet` | Print only container names, one per line. |
664
+ | `-q`, `--quiet` | Print only PIDs, one per line (for scripting). |
750
665
 
751
666
  ---
752
667
 
@@ -839,14 +754,12 @@ fallback.
839
754
  ### `kill` — Forcibly stop a running container
840
755
 
841
756
  ```
842
- chroot-distro kill CONTAINER
843
- Aliases: k, stop
757
+ chroot-distro kill (CONTAINER | PID)
844
758
  ```
845
759
 
846
- Forcibly stop a running container: all processes inside its chroot are
847
- sent `SIGTERM` and then `SIGKILL` after a short grace period, the bind
848
- mounts are unmounted, and the namespace holder (if any) is released. This
849
- is the abrupt counterpart to `unmount` (equivalent to `docker kill`).
760
+ Forcibly stop a running container. The argument may be a container name or a session PID shown in `chroot-distro ps`. When a session PID is provided, the entire container that the session belongs to is stopped. Only PIDs from active chroot-distro sessions are accepted; random host PIDs are rejected.
761
+
762
+ All processes inside the container's chroot are sent `SIGTERM` and then `SIGKILL` after a short grace period, the bind mounts are unmounted, and the namespace holder (if any) is released. This is the abrupt counterpart to `unmount` (equivalent to `docker kill`).
850
763
 
851
764
  ---
852
765
 
@@ -1110,11 +1023,12 @@ in the [`install`](#install--install-a-container) section.
1110
1023
 
1111
1024
  ### 2. Native chroot and bind mounts
1112
1025
 
1113
- Unlike `proot`, which rewrites paths via `ptrace`, Chroot-Distro uses
1114
- real kernel features:
1026
+ Chroot-Distro uses real kernel features rather than path rewriting:
1115
1027
 
1116
1028
  - **Bind mounts** (`mount --bind`) for host directories inside the guest.
1117
- - **Session tracking** under `$RUNTIME_DIR/data/<name>/sessions`.
1029
+ - **Session tracking** under `$RUNTIME_DIR/data/<name>/sessions` (counter)
1030
+ and `$RUNTIME_DIR/sessions/<pid>.json` (per-session registry for `ps`,
1031
+ with `flock`-based liveness detection).
1118
1032
  - **Automatic mount/unmount**: the first session mounts; the last session
1119
1033
  exiting unmounts everything.
1120
1034
  - **Lazy unmount fallback** (`umount -l`) when a target is busy.
@@ -1155,6 +1069,24 @@ Because mutating commands run as root after auto-elevation, effective
1155
1069
  paths on Linux are typically under `/root/.local/share/` and
1156
1070
  `/root/.cache/` unless you set `XDG_DATA_HOME` / `XDG_CACHE_HOME`.
1157
1071
 
1072
+ ### Directory Variables and Definitions
1073
+
1074
+ The application dynamically computes paths based on the environment (Termux/Android vs. Regular Linux):
1075
+
1076
+ | Variable | Description | Termux Path | Regular Linux Path |
1077
+ |---|---|---|---|
1078
+ | `RUNTIME_DIR` | Root directory for application state (containers, sessions, locks, logs). | `/data/data/com.termux/files/usr/var/lib/chroot-distro` | `~/.local/share/chroot-distro` |
1079
+ | `BASE_CACHE_DIR` | Base directory for caching downloaded OCI layers, manifests, and build cache index. | `$RUNTIME_DIR/cache` | `~/.cache/chroot-distro` |
1080
+ | `CONTAINERS_DIR` | Directory containing the root filesystems (`rootfs`) of installed distributions. | `$RUNTIME_DIR/containers` | `~/.local/share/chroot-distro/containers` |
1081
+ | `SESSIONS_DIR` | Directory for active session tracker files (`<pid>.json`) used by the `ps` command. | `$RUNTIME_DIR/sessions` | `~/.local/share/chroot-distro/sessions` |
1082
+ | `LOCKS_DIR` | Directory for POSIX flock files to prevent concurrent access conflicts. | `$RUNTIME_DIR/locks` | `~/.local/share/chroot-distro/locks` |
1083
+ | `LAYER_CACHE_DIR` | Directory where downloaded OCI layers are cached. | `$BASE_CACHE_DIR/oci_layers` | `~/.cache/chroot-distro/oci_layers` |
1084
+ | `MANIFEST_CACHE_DIR` | Directory where fetched OCI manifests are cached. | `$BASE_CACHE_DIR/oci_manifests` | `~/.cache/chroot-distro/oci_manifests` |
1085
+
1086
+ > [!NOTE]
1087
+ > Since mutating commands on regular Linux run as `root` (via auto-elevation), the regular Linux paths above will default to being under the `/root` home directory (e.g., `/root/.local/share/chroot-distro` and `/root/.cache/chroot-distro`) unless `XDG_DATA_HOME` or `XDG_CACHE_HOME` are explicitly set and forwarded.
1088
+
1089
+
1158
1090
  | Path | Contents |
1159
1091
  |---|---|
1160
1092
  | `containers/<name>/rootfs/` | Container root filesystem |
@@ -1180,7 +1112,7 @@ paths on Linux are typically under `/root/.local/share/` and
1180
1112
  | `TERMUX_APP__APP_VERSION_NAME`, `TERMUX_VERSION` | Either counts toward Termux detection when set. |
1181
1113
  | `XDG_DATA_HOME` | Base for `$XDG_DATA_HOME/chroot-distro/` on non-Termux hosts. Default: `~/.local/share`. |
1182
1114
  | `XDG_CACHE_HOME` | Base for `$XDG_CACHE_HOME/chroot-distro/` on non-Termux hosts. Default: `~/.cache`. |
1183
- | `CD_DOCKER_AUTH` | Registry credentials as `username:password` or `username:PAT` (colon required). Used by `install`, `build` (`FROM` pulls), and `push`. `PD_DOCKER_AUTH` is accepted as a fallback. |
1115
+ | `CD_DOCKER_AUTH` | Registry credentials as `username:password` or `username:PAT` (colon required). Used by `install`, `build` (`FROM` pulls), and `push`. |
1184
1116
  | `CD_DOWNLOAD_WORKERS` | Parallel registry layer downloads during `install` (default `4`, maximum `10`). Invalid values use the default; out-of-range values are clamped. |
1185
1117
  | `CD_DOWNLOAD_RATE_LIMIT` | Bandwidth limit for downloads (e.g., `5M` for 5 MiB/s, default `0` = unlimited). Supports suffixes `K`, `M`, `G` (case-insensitive). |
1186
1118
  | `CD_DOWNLOAD_MAX_RETRIES` | Maximum retry attempts per connection failure (default `3`, clamped between `0` and `20`). |
@@ -1195,7 +1127,8 @@ These are set automatically by chroot-distro at login. They cannot be
1195
1127
  overridden from `manifest.json` image `Env`, but can be overridden with
1196
1128
  `--env`.
1197
1129
 
1198
- **Display and audio (Linux, non-minimal, display sharing active):**
1130
+ **Display and audio (Linux, non-minimal, only when `--shared-display` /
1131
+ `--shared-x11` is passed — not set by default):**
1199
1132
 
1200
1133
  | Variable | Source / Fallback |
1201
1134
  |---|---|
@@ -1209,26 +1142,13 @@ overridden from `manifest.json` image `Env`, but can be overridden with
1209
1142
  | `PULSE_SERVER` | Host `$PULSE_SERVER`; fallback `unix:/run/user/<uid>/pulse/native` if socket exists |
1210
1143
  | `DBUS_SESSION_BUS_ADDRESS` | Host `$DBUS_SESSION_BUS_ADDRESS`; fallback `unix:path=/run/user/<uid>/bus` if socket exists |
1211
1144
 
1212
- **Hostname (always set, non-minimal):**
1213
-
1214
- | Variable | Source / Fallback |
1215
- |---|---|
1216
- | `HOSTNAME` | The container name. Under `--isolated` the UTS namespace hostname is also set so `hostname`/`uname -n` report it. |
1217
-
1218
- **GPU — NVIDIA native Linux (auto-detected, non-minimal):**
1219
-
1220
- | Variable | Value |
1221
- |---|---|
1222
- | `__NV_PRIME_RENDER_OFFLOAD` | `1` |
1223
- | `__GLX_VENDOR_LIBRARY_NAME` | `nvidia` |
1224
-
1225
- **GPU — WSL2 with NVIDIA (auto-detected, non-minimal):**
1145
+ **Hostname and GPU (non-minimal, auto-detected/auto-set):**
1226
1146
 
1227
1147
  | Variable | Value |
1228
1148
  |---|---|
1229
- | `GALLIUM_DRIVER` | `d3d12` |
1230
- | `MESA_D3D12_DEFAULT_DEVICE_TYPE` | `GPU` |
1231
- | `LIBGL_ALWAYS_SOFTWARE` | `0` |
1149
+ | `HOSTNAME` | The container name (`hostname`/`uname -n` only reflect it under `--isolated`) |
1150
+ | `__NV_PRIME_RENDER_OFFLOAD`, `__GLX_VENDOR_LIBRARY_NAME` | `1`, `nvidia` — NVIDIA on native Linux |
1151
+ | `GALLIUM_DRIVER`, `MESA_D3D12_DEFAULT_DEVICE_TYPE`, `LIBGL_ALWAYS_SOFTWARE` | `d3d12`, `GPU`, `0` — NVIDIA on WSL2 |
1232
1152
 
1233
1153
  ---
1234
1154
 
@@ -1267,6 +1187,23 @@ cp src/chroot_distro/completions/chroot-distro.fish \
1267
1187
 
1268
1188
  ## Limitations
1269
1189
 
1190
+ ### Design choices (not limitations)
1191
+
1192
+ - **Shared network by default**: containers use the host's network stack
1193
+ directly. There is no network namespace and no per-container network
1194
+ isolation, even under `--isolated` / `CD_USE_NS=1`. This is intentional:
1195
+ Chroot-Distro targets fast, near-native access to the host (Wi-Fi,
1196
+ mobile data, VPNs already configured on the host, etc.) rather than
1197
+ Docker-style network sandboxing, so there is no virtual NIC, no NAT, and
1198
+ no per-container firewall to set up or work around.
1199
+ - **Shared GPU by default**: GPU passthrough (see
1200
+ [GPU acceleration](#gpu-acceleration-auto-detected)) is automatic and
1201
+ unconditional whenever supported hardware/drivers are detected — it is
1202
+ not gated behind `--isolated`, `--shared-display`, or any opt-in flag.
1203
+ The container talks to the same `/dev/dri`, NVIDIA device nodes, and
1204
+ driver stack as the host, by design, so 3D/Vulkan/OpenCL workloads work
1205
+ out of the box without per-container GPU allocation or arbitration.
1206
+
1270
1207
  ### Kernel and chroot limitations
1271
1208
 
1272
1209
  - **Root required**: real `chroot` and bind mounts need appropriate
@@ -1279,18 +1216,21 @@ cp src/chroot_distro/completions/chroot-distro.fish \
1279
1216
  guest.
1280
1217
  - **Namespaces**: `--isolated` (or `CD_USE_NS=1`) provides
1281
1218
  mount/PID/UTS/IPC isolation, plus the cgroup namespace when the kernel
1282
- supports it, via `unshare`/`nsenter` but there is no network namespace,
1283
- no user-namespace mapping, and no parity with Docker or Podman.
1219
+ supports it, via `unshare`/`nsenter`. There is no user-namespace mapping
1220
+ and no parity with Docker or Podman. (Networking is intentionally
1221
+ excluded from this isolation set — see
1222
+ [Design choices](#design-choices-not-limitations) above.)
1284
1223
  - **Bind mount hygiene**: crashed sessions or orphan processes can leave
1285
1224
  mounts busy; `unmount` and lazy unmount mitigate this but orphaned
1286
1225
  processes should be cleaned up.
1287
1226
 
1288
1227
  ### Chroot-Distro limitations
1289
1228
 
1290
- - **Termux requires root**: unlike proot-distro, Chroot-Distro cannot run
1291
- containers on a non-rooted Android device.
1229
+ - **Root is required on Termux**: Chroot-Distro relies on real `chroot`
1230
+ and bind mounts, so it cannot run containers on a non-rooted Android
1231
+ device.
1292
1232
  - **Registry authentication**: private pulls and pushes need
1293
- `CD_DOCKER_AUTH=user:password` (or `PD_DOCKER_AUTH`). Docker
1233
+ `CD_DOCKER_AUTH=user:password`. Docker
1294
1234
  `config.json` credential helpers are not read.
1295
1235
  - **Dockerfile builds are not BuildKit**: `RUN` executes under `chroot`,
1296
1236
  not a real container runtime. BuildKit-only Dockerfile features are