Bump version to 0.1.5 and fix table formatting across docs

Author: fiorix

Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "sdme"
-version = "0.1.3"
+version = "0.1.5"
 edition = "2021"
 description = "Lightweight systemd-nspawn containers with overlayfs"
 license = "MIT"

Cargo.toml

@@ -9,7 +9,7 @@ Download a static binary from [fiorix.github.io/sdme](https://fiorix.github.io/s
 Runs on Linux with systemd. Uses kernel overlayfs for copy-on-write storage. By default, containers are overlayfs clones of `/` but you can also import rootfs from other distros (Ubuntu, Debian, Fedora, NixOS; see [docs/nix](docs/nix/)).
 
 **Why does this even exist?**
-Here's my pitch: from a linux system with just systemd and sdme, you can create and run any container and cloud image that exists today. 1 binary.
+Here's my pitch: from a linux system with just systemd and sdme, you can create and run any container and cloud image that exists today.
 
 Check out the [sdme architecture](docs/architecture.md) for details about what this is and how it works. The containers we create are booted systemd containers.
 
@@ -54,13 +54,13 @@ sdme can also run OCI application images (nginx, mysql, etc.) as systemd service
 
 ### Runtime
 
-| Program | Package | Required for |
-|---------|---------|--------------|
-| `systemd` (>= 252) | `systemd` | All commands (D-Bus communication) |
-| `systemd-nspawn` | `systemd-container` | Running containers (`sdme start`) |
-| `machinectl` | `systemd-container` | `sdme join`, `sdme exec`, `sdme new` |
-| `journalctl` | `systemd` | `sdme logs` |
-| `qemu-nbd` | `qemu-utils` | `sdme fs import` (QCOW2 images only) |
+| Program              | Package              | Required for                          |
+|----------------------|----------------------|---------------------------------------|
+| `systemd` (>= 252)   | `systemd`            | All commands (D-Bus communication)    |
+| `systemd-nspawn`     | `systemd-container`  | Running containers (`sdme start`)     |
+| `machinectl`         | `systemd-container`  | `sdme join`, `sdme exec`, `sdme new`  |
+| `journalctl`         | `systemd`            | `sdme logs`                           |
+| `qemu-nbd`           | `qemu-utils`         | `sdme fs import` (QCOW2 images only)  |
 
 ### Install all dependencies (Debian/Ubuntu)
 

README.md

@@ -285,12 +285,12 @@ friends.
 **Compression auto-detection** uses magic bytes rather than file extensions.
 The first few bytes of a file reveal its compression format:
 
-| Magic bytes         | Format |
-|---------------------|--------|
-| `1f 8b`             | gzip   |
-| `BZh`               | bzip2  |
-| `fd 37 7a 58 5a 00` | xz     |
-| `28 b5 2f fd`       | zstd   |
+| Magic bytes            | Format |
+|------------------------|--------|
+| `1f 8b`                | gzip   |
+| `BZh`                  | bzip2  |
+| `fd 37 7a 58 5a 00`   | xz     |
+| `28 b5 2f fd`          | zstd   |
 
 This means `sdme fs import ubuntu rootfs.tar.zst` works even if the file is
 named `rootfs.tar`, because the content, not the name, determines the decompressor.
@@ -578,11 +578,11 @@ specs are validated for format (`HOST:CONTAINER[/PROTO]`) and range (1-65535).
 
 sdme exposes three cgroup-based resource controls:
 
-| Flag                      | systemd property | Example                                 |
-|---------------------------|------------------|-----------------------------------------|
-| `--memory <size>`         | `MemoryMax=`     | `--memory 2G`                           |
-| `--cpus <count>`          | `CPUQuota=`      | `--cpus 0.5` (50%), `--cpus 2` (200%)   |
-| `--cpu-weight <1-10000>`  | `CPUWeight=`     | `--cpu-weight 100`                      |
+| Flag                     | systemd property | Example                                |
+|--------------------------|------------------|----------------------------------------|
+| `--memory <size>`        | `MemoryMax=`     | `--memory 2G`                          |
+| `--cpus <count>`         | `CPUQuota=`      | `--cpus 0.5` (50%), `--cpus 2` (200%) |
+| `--cpu-weight <1-10000>` | `CPUWeight=`     | `--cpu-weight 100`                     |
 
 These flags are available on `sdme create`, `sdme new`, and `sdme set`. They
 are applied via a systemd drop-in file (`limits.conf`) installed alongside the
@@ -618,13 +618,13 @@ pipe-separated) and reconstituted into nspawn arguments on every start.
 
 sdme stores its settings in a TOML file at `~/.config/sdme/sdmerc`:
 
-| Setting                    | Default                        | Description                                                            |
-|----------------------------|--------------------------------|------------------------------------------------------------------------|
-| `interactive`              | `true`                         | Enable interactive prompts                                             |
-| `datadir`                  | `/var/lib/sdme`                | Root directory for all container and rootfs data                       |
-| `boot_timeout`             | `60`                           | Seconds to wait for container boot before giving up                    |
-| `join_as_sudo_user`        | `true`                         | Join host-rootfs containers as `$SUDO_USER` instead of root            |
-| `host_rootfs_opaque_dirs`  | `/etc/systemd/system,/var/log` | Default opaque dirs for host-rootfs containers (empty string disables) |
+| Setting                   | Default                        | Description                                                            |
+|---------------------------|--------------------------------|------------------------------------------------------------------------|
+| `interactive`             | `true`                         | Enable interactive prompts                                             |
+| `datadir`                 | `/var/lib/sdme`                | Root directory for all container and rootfs data                       |
+| `boot_timeout`            | `60`                           | Seconds to wait for container boot before giving up                    |
+| `join_as_sudo_user`       | `true`                         | Join host-rootfs containers as `$SUDO_USER` instead of root            |
+| `host_rootfs_opaque_dirs` | `/etc/systemd/system,/var/log` | Default opaque dirs for host-rootfs containers (empty string disables) |
 
 Settings are read with `sdme config get` and written with `sdme config set <key> <value>`.
 

docs/architecture.md

@@ -50,17 +50,17 @@ real `open()`. All other paths fall through to the real `openat` syscall.
 
 The intercepted paths are:
 
-| Path | Result |
-|------|--------|
-| `/dev/stdin` | `dup(0)` |
-| `/dev/stdout` | `dup(1)` |
-| `/dev/stderr` | `dup(2)` |
-| `/dev/fd/0` | `dup(0)` |
-| `/dev/fd/1` | `dup(1)` |
-| `/dev/fd/2` | `dup(2)` |
-| `/proc/self/fd/0` | `dup(0)` |
-| `/proc/self/fd/1` | `dup(1)` |
-| `/proc/self/fd/2` | `dup(2)` |
+| Path               | Result   |
+|--------------------|----------|
+| `/dev/stdin`       | `dup(0)` |
+| `/dev/stdout`      | `dup(1)` |
+| `/dev/stderr`      | `dup(2)` |
+| `/dev/fd/0`        | `dup(0)` |
+| `/dev/fd/1`        | `dup(1)` |
+| `/dev/fd/2`        | `dup(2)` |
+| `/proc/self/fd/0`  | `dup(0)` |
+| `/proc/self/fd/1`  | `dup(1)` |
+| `/proc/self/fd/2`  | `dup(2)` |
 
 The `dup()` call returns a new file descriptor that refers to the same
 underlying kernel object (the journal socket). Since `write()` on a socket fd
@@ -79,10 +79,10 @@ that they can close without affecting the original.
 
 The shared library is generated at import time matching the host architecture:
 
-| Architecture | Syscall ABI | Binary Size |
-|---|---|---|
-| x86_64 | `syscall` instruction, rax=nr | ~4 KiB |
-| aarch64 | `svc #0` instruction, x8=nr | ~4 KiB |
+| Architecture | Syscall ABI                   | Binary Size |
+|--------------|-------------------------------|-------------|
+| x86_64       | `syscall` instruction, rax=nr | ~4 KiB      |
+| aarch64      | `svc #0` instruction, x8=nr   | ~4 KiB      |
 
 The binaries are generated purely in Rust (no assembler, no external tools,
 no libc) by the `src/devfd_shim/` module.
@@ -183,12 +183,12 @@ approximately 4 KiB.
 
 The module structure follows the same pattern as `drop_privs`:
 
-| File | Purpose |
-|------|---------|
-| `src/devfd_shim/mod.rs` | Public API: `generate(Arch) -> Vec<u8>` |
-| `src/devfd_shim/elf.rs` | ET_DYN ELF builder with SysV hash table |
-| `src/devfd_shim/x86_64.rs` | x86_64 machine code emitter |
-| `src/devfd_shim/aarch64.rs` | AArch64 machine code emitter |
+| File                        | Purpose                                  |
+|-----------------------------|------------------------------------------|
+| `src/devfd_shim/mod.rs`     | Public API: `generate(Arch) -> Vec<u8>`  |
+| `src/devfd_shim/elf.rs`     | ET_DYN ELF builder with SysV hash table  |
+| `src/devfd_shim/x86_64.rs`  | x86_64 machine code emitter              |
+| `src/devfd_shim/aarch64.rs` | AArch64 machine code emitter             |
 
 Both architecture modules use their own `Asm` struct with a label/fixup system
 tailored to the ISA (x86_64 uses rel8/rel32 fixups for variable-length

docs/devfd-shim.md

@@ -44,10 +44,10 @@ Each syscall is checked for errors. On failure, a diagnostic message is written
 
 The ELF binary is generated at import time matching the host architecture:
 
-| Architecture | Syscall ABI | Binary Size |
-|---|---|---|
-| x86_64 | `syscall` instruction, rax=nr | < 1 KiB |
-| aarch64 | `svc #0` instruction, x8=nr | < 1 KiB |
+| Architecture | Syscall ABI                   | Binary Size |
+|--------------|-------------------------------|-------------|
+| x86_64       | `syscall` instruction, rax=nr | < 1 KiB     |
+| aarch64      | `svc #0` instruction, x8=nr   | < 1 KiB     |
 
 The binaries are generated purely in Rust (no assembler, no external tools) by the `src/drop_privs/` module.
 
@@ -105,10 +105,10 @@ The privilege-dropping sequence is designed to be irreversible:
 
 The OCI `User` field supports several formats:
 
-| Format | Behavior |
-|---|---|
-| `""`, `"root"`, `"0"` | Root; uses standard `User=root` |
-| `"name"` | Resolved via `etc/passwd` in OCI rootfs |
-| `"uid"` | Used directly; primary GID from `etc/passwd` if found, else gid=uid |
-| `"name:group"` | User from `etc/passwd`, group from `etc/group` |
-| `"uid:gid"` | Both used directly |
+| Format                 | Behavior                                                            |
+|------------------------|---------------------------------------------------------------------|
+| `""`, `"root"`, `"0"`  | Root; uses standard `User=root`                                     |
+| `"name"`               | Resolved via `etc/passwd` in OCI rootfs                             |
+| `"uid"`                | Used directly; primary GID from `etc/passwd` if found, else gid=uid |
+| `"name:group"`         | User from `etc/passwd`, group from `etc/group`                      |
+| `"uid:gid"`            | Both used directly                                                  |

docs/drop-privs.md

@@ -33,12 +33,12 @@ A systemd service unit (`sdme-oci-app.service`) is generated that chroots into
 
 The `--oci-mode` flag lets you override auto-detection:
 
-| Flag | Behavior |
-|------|----------|
-| `--oci-mode=auto` | Auto-detect from image config (default) |
-| `--oci-mode=base` | Force base OS mode |
-| `--oci-mode=app` | Force application mode (requires `--base-fs`) |
-| `--oci-mode=connector` | Force connector mode (requires `--base-fs`) |
+| Flag                   | Behavior                                      |
+|------------------------|-----------------------------------------------|
+| `--oci-mode=auto`      | Auto-detect from image config (default)        |
+| `--oci-mode=base`      | Force base OS mode                             |
+| `--oci-mode=app`       | Force application mode (requires `--base-fs`)  |
+| `--oci-mode=connector` | Force connector mode (requires `--base-fs`)    |
 
 ## How it works