Skip to content
/ minit Public

minimal, secure, and efficient init system designed to run as PID 1

4 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ariacomputecompany/minit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.toml
Cargo.toml
 
 
README.md
README.md
 
 

Repository files navigation

minit

PID1 init process for Linux containers

minit is a minimal, secure, and efficient init system designed to run as PID 1 inside Linux containers. It provides proper process supervision, zombie reaping, signal forwarding, and a Unix socket-based exec interface.

minit powers Quilt containers. It runs as PID 1 inside every Quilt sandbox, providing the exec interface that enables Quilt's runtime command execution.

Features

  • PID 1 Process Supervision - Runs as container's init process, manages child processes
  • Zombie Process Reaping - Prevents zombie accumulation via proper waitpid() handling
  • Signal Forwarding - Forwards signals (SIGTERM, SIGINT, etc.) to process groups immediately
  • Unix Socket Interface - JSON-over-Unix-socket API for exec, health checks, and process control
  • Thread-per-Connection - Non-blocking control plane with concurrent exec support
  • Persistent Containers - Container survives entrypoint exit, continues serving exec requests

Security

  • Socket permissions (0600) + SO_PEERCRED validation (root-only)
  • Environment variable filtering (blocks LD_PRELOAD, LD_LIBRARY_PATH, etc.)
  • PATH resolution with executable bit validation
  • 1MB request/output buffer limits

Installation

git clone https://github.com/ariacomputecompany/minit.git
cd minit
cargo build --release

Usage

Basic Container Init

# Run minit as PID 1 with an entrypoint command
minit -- /bin/sh -c "echo 'Container started'; sleep infinity"

Container Without Entrypoint

# Run minit alone (container persists for exec requests)
minit

Exec Interface

Connect to /run/minit.sock and send JSON requests:

Health Check

{"type": "ping"}

Response:

{"type": "pong", "version": "0.0.1", "uptime_secs": 3600, "pid": 1}

Execute Command

{
  "type": "exec",
  "cmd": "echo",
  "args": ["hello", "world"],
  "env": {"PATH": "/bin:/usr/bin"},
  "timeout_ms": 30000
}

Response (streaming):

{"type": "stdout", "data": "hello world"}
{"type": "exit", "code": 0, "elapsed_ms": 5}

Send Signal

{"type": "kill", "pid": 123, "signal": "TERM"}

Testing

cargo test

Comparison

Feature minit tini dumb-init
Zombie reaping Yes Yes Yes
Signal forwarding Process groups Single PID Single PID
Exec API Yes No No
Security hardening Yes No No
Concurrent execs 100+ N/A N/A

MIT License - Copyright (c) 2025 Aria Compute Company

About

minimal, secure, and efficient init system designed to run as PID 1

Resources

Readme
Activity
Custom properties

Stars

4 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages