Super PrivilegedContainers – Daniel J Walsh

View Github Repository Open presentation in a new window

rhatdan

See all presentation from rhatdan

Super PrivilegedContainers – Daniel J Walsh

0 1

SPC

Presentation on Super Privileged Containers

On Github rhatdan / SPC

Super PrivilegedContainers

Daniel J Walsh

Consulting Engineer

Twitter: @rhatdan

Blog: danwalsh.livejournal.com

Email: dwalsh@redhat.com

Problem Statement

On Atomic Host we don't support yum install

Make sure Atomic Host is minimal in size

How do I admin a machine without traceroute? strace?, gdb? ...

Customers want to install their favorite tool on Atomic Host

Atomic Host rule, prove your application can't run in container

Problem Statement

I want to ship an application that will manage the host

I want to ship an application that will manage containers

Super Privileged Containers "SPC"

Really just a concept

A way to run certain types of containers

SPC will manipulate content on the host

SPC can be used to manipulate other containers

Turn off the security

Wait, what did Dan Walsh just say?

Turn the Security off????

www.twitter.com

News Flash: @rhatdan Says turn the Security off?

Privileged Containers

Turn off the security

docker run --privileged

This will:

Enable all Linux Capabilities Disable SELinux separation Disable SECCOMP and User Namespace Separation Disable Mounting of file systems readonly Allow the creation of all linux devices

Super Privileged Containers

Turn off namespace separation

docker run --net=host (Use the hosts network devices)

docker run --ipc=host (Share the hosts IPC namespace)

docker run --pid=host (See all of the processes on the host)

docker run --dev=host (Share /dev with the hosts: Proposed)

Super Privileged Containers

Mount hosts file systems into the container

docker run -v /run:/run

Allows a container process to communicate with dbus, systemd or even docker daemon

docker run -v /:/host -e HOST=/host

Share the entire hosts file system into the container

DEMO

Boy that is a awfully long command line

/usr/bin/docker run -t -i --rm --privileged -v /:/host -v /run:/run -v /etc/localtime:/etc/localtime --net=host --ipc=host --pid=host -e HOST=/host -e NAME=fedora-spc -e IMAGE=fedora fedora /bin/sh

rheltools image

strace, gdb, sosreport

man pages,...

Introducing 'atomic' command

Allows you to run containers in SPC mode

atomic run --spc rheltools /bin/sh

/usr/bin/docker run -t -i --rm --privileged -v /:/host -v /run:/run -v /etc/localtime:/etc/localtime --net=host --ipc=host --pid=host -e HOST=/host -e NAME=rheltools-spc -e IMAGE=rheltools rheltools /bin/sh

Introducing 'atomic' command

Wraps rpm-ostree command if run on a atomic host

atomic host upgrade

atomic host rollback

atomic host status

Problem Statement

My application is nicely rolled into a container images.How do I tell the user to run it?

My application run mostly confined but needs additional privileges?

ntpd container needs to run with --cap_add SYS_TIME

Introducing containerimage LABELS

LABELS patch: developers can add content to image json data

LABEL RUN docker run -d -n ntpd --cap_add SYS_TIME IMAGE

atomic run ntpd

Lets look at container images differently

Container images is a new way to ship applications

Look at images as a software deliverer mechanism

I package up my jboss application into a Docker Image move it to a repository and then what

How does the customer install it?

How does it get configured to run on the host system?

Where do I ship the config or install script?

Embed installation procedure within the container image

LABELS INSTALL docker run --privileged --rm -ti -v /:/host -e HOST=/host -v /run:/run IMAGE /bin/install.sh

LABELS UNINSTALL docker run --privileged --rm -ti -v /:/host -e HOST=/host -v /run:/run IMAGE /bin/install.sh

Meta Container Images

DEMO

questions?

http://www.dailymail.co.uk/article-1371736/Insomnia-Our-analysis-mothers-sleep-patterns-wake-exhausted-women.html