At GeneralSync, we wanted to deploy almost-ready-to-run logical containers. The 'almost' obviously refers to system-specific configuration that is specific to the machine we deploy to, such as database passwords. To bundle software, static data, static configuration and hooks to tie it with system-specific configuration and storage locations for volatile data we created a small tool called Isolator.
We internally use Gentoo, which provides a flexible package manage (portage). With Isolator, a new chroot is populated by portage according to a so-called schematic, which contiains metadata about all applications, metadata about relevant files on the host (such as system-specific configuration) and any static data required. Furthermore, Isolator permits to run the applications within the container with some light isolation under a restricted user account in a separate mount namespace mostly using nosuid and ro mounts, ensuring that only intended areas are writeable and the application can't elevate.
You can view or download Isolator on our git server. Isolator is licensed under the Apache License, Version 2.0.
