For safety, ruri container is like default docker container, it will mask some directory in /sys and /proc, drop unneed capabilities, and you are not able to run command like mknod or mount by default.
ruri will set capability to the same as docker common container by default, you can use -k [cap] or -d [cap] to change the capability settings.
For example, use -d cap_sys_admin to drop CAP_SYS_ADMIN.
In fulture, maybe new caps will be added to the kernel, and their name might cannot be recognized if you are using old builds. You can use the value of cap (use capsh --explain=[cap] to get the value) to drop it, for example, use -d 114 to drop the cap 114 (I don't know what the cap should be, mabe can make superuser to be a homo).
Since v3.0, ruri can use k2v, a new simple config format, to store the config of a container.
Since v3.0, ruri removed the daemon, it use a new way to store the info of a running container.
ruri will creat /.rurienv file into the container, to store runtime info of container.
The rurienv file is automatically controled by ruri, please do not edit it.
The command tty in ruri might say that "not a tty".
If you need to run some program like gpg, please use script -q -O /dev/null in container.
ruri will create /dev/, /sys/ and /proc/ after chroot(2) into container for better security. You can use -S option to force it to bind-mount system runtime dirs.
Yes, you can run multi-arch containers via ruri if your device support.
It needs CONFIG_BINFMT_MISC enabled in your kernel config.
You need to copy qemu-*-static to your container first.
The path of qemu is the absolute path of qemu binary in the chroot container, for example, you have a qemu binary at /path/to/container/qemu-amd64-static, use -a x86_64 -q /qemu-amd64-static arguments to start the container.
Command need setgroups() may not work in rootless container, like su or apt.
You might need /etc/subuid and /etc/subgid configured in your system.
Rootless container is still WIP.
The seccomp rule of ruri is based on Docker's default seccomp profile. ruri does not provide the way to change it, but you can edit src/seccomp.c and rewrite setup_seccomp() with your own config.