[ale] Would you mind critiquing a container build HOWTO?

Leam Hall leamhall at gmail.com
Thu Jul 4 09:33:43 EDT 2024


I will share what I know, but container security is not my forte.

When running "docker exec" to connect to the Amazon Linux container, the user is root.

	sh-5.2# id
	uid=0(root) gid=0(root) groups=0(root)

  If I do a "ps":

	sh-5.2# ps -ef
	UID          PID    PPID  C STIME TTY          TIME CMD
	root           1       0  0 12:46 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
	apache         8       1  0 12:46 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
	apache         9       1  0 12:46 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
	apache        14       1  0 12:46 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
	apache        46       1  0 12:46 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
	root         193       0  0 12:46 pts/0    00:00:00 /bin/sh
	root         219     193  0 13:30 pts/0    00:00:00 ps -ef

Which is a lot shorter than the 414 results of "ps -ef" on my host. However, the results of running "iostat 1 1" look the same, which suggests that the container has some visibility into the host.

Leam



On 7/4/24 08:19, dj-Pfulio via Ale wrote:
> Does that mean that Docker doesn't still by default use privilege containers?
> I didn't see that question answered.
> 
> On July 4, 2024 9:07:37 AM EDT, Jim Kinney via Ale <ale at ale.org> wrote:
>> That's why singularity started and RHEL did their version to also add in
>> selinux. Container root should not be host root.
>>
>> On Thu, Jul 4, 2024, 8:46 AM DJPfulio--- via Ale <ale at ale.org> wrote:
>>
>>> At the risk of showing my ignorance, has docker changed their default so
>>> that using privileged containers is a hassle and not the default?  That's a
>>> huge reason I've avoided Docker completely.
>>>
>>>
>>> On 7/4/24 07:18, Leam Hall via Ale wrote:
>>>> And eventually I remember that docker run has a -d switch...
>>>>
>>>> Leam
>>>>
>>>>
>>>> On 6/30/24 21:14, Mark Ulmer wrote:
>>>>> Leam, I've run into the same issues... I just could not get
>>>>> systemctl enable and start commands to work.  Here is the final
>>>>> docker file that works. I added yum update.
>>>>>
>>>>> FROM amazonlinux:latest RUN yum update -y RUN yum install -y
>>>>> iproute sysstat procps-ng httpd EXPOSE 80 CMD
>>>>> ["httpd","-D","FOREGROUND"]
>>>>>
>>>>>
>>>>> I suggest also adding the docker run example to your HOWTO.
>>>>>
>>>>> docker run --name amzl_web -p 8080:80 docker.io/library/amzl_web
>>>>>
>>>>>
>>>>> Regards, Mark Ulmer
>>>>>
>>>>>
>>>>> ------ Original Message ------
>>>>>>  From "Leam Hall via Ale" <ale at ale.org>
>>>>> To "Atlanta Linux Enthusiasts" <ale at ale.org> Cc "Leam Hall"
>>>>> <leamhall at gmail.com> Date 6/29/2024 9:09:08 AM Subject [ale] Would
>>>>> you mind critiquing a container build HOWTO?
>>>>>
>>>>>> Hey container-savvy peeps, would you mind critiquing a short
>>>>>> HOWTO (below) on getting an Amazon Linux container to run
>>>>>> locally? I'm doing some AWS study and want to put together a more
>>>>>> concise document that will let folks try out AWS without having
>>>>>> to reroute through a dozen documents to resolve basic tasks.
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> Leam -- Site Reliability Engineer  (reuel.net/resume) Scribe: The
>>>>>> Domici War     (domiciwar.net) General Ne'er-do-well
>>>>>> (github.com/LeamHall)
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> My hypothesis is that running Amazon Linux in EC2 would be more
>>>>>> performant than other Linux versions because the AWS engineers
>>>>>> could tune their OS distribution to their platform.
>>>>>>
>>>>>> To test, I began by building an Amazon Linux container locally.
>>>>>> This would allow investigating the OS itself, and then knowing
>>>>>> how to configure it for use and observability. This quickly ran
>>>>>> into the issue of portablity, while Amazon does have a container
>>>>>> image on the Docker Hub, it doesn't run in standalone mode and it
>>>>>> is missing basic sysadmin tools like "ps".
>>>>>>
>>>>>> So far a kludge resolves the stand-alone issue, but I'd like to
>>>>>> find a better solution. Here's the annotated Dockerfile and
>>>>>> commands used.
>>>>>>
>>>>>>
>>>>>> FROM amazonlinux:latest                    (1) RUN yum install
>>>>>> iproute sysstat procps-ng httpd -y    (2)(6)(7)(8)(9) # RUN httpd
>>>>>> -k start                       (3) # RUN systemctl start httpd
>>>>>> (4) ENTRYPOINT ["/usr/sbin/httpd"]                (5) CMD
>>>>>> ["-DFOREGROUND"]
>>>>>>
>>>>>>
>>>>>> (1)
>>>>>> https://docs.aws.amazon.com/linux/al2023/ug/base-container.html
>>>>>> (2)  Adding some observability tools and httpd to keep the thing
>>>>>> up. (3)  This just exits out. (4)  This fails with:
>>>>>>> [3/4] RUN systemctl start httpd:
>>>>>> 0.976 System has not been booted with systemd as init system (PID
>>>>>> 1). Can't operate. 0.976 Failed to connect to bus: Host is down
>>>>>> (5)  This ENTRYPOINT and CMD pair works. (6)  iproute gives the
>>>>>> "ip" command. (7)  sysstat gives the sar, pidstat, vmstat,
>>>>>> iostat, and mpstat commands. (8)  procps-ng gives the "ps"
>>>>>> command. (9)  httpd is required to have a running process,
>>>>>> otherwise the container shuts down.
>>>>>>
>>>>>>
>>>>>> Commands:
>>>>>>
>>>>>> Get the container image (https://hub.docker.com/_/amazonlinux).
>>>>>> docker pull amazonlinux
>>>>>>
>>>>>> In the directory with the Dockerfile. Note the ending ".". docker
>>>>>> build -t amzl_web .
>>>>>>
>>>>>> You must also start it with "&" to regain your terminal window.
>>>>>> docker run amzl_web &
>>>>>>
>>>>>> Connect to the container. docker exec -it <container_name>
>>>>>> /bin/bash
>>>>>>
>>>>>> _______________________________________________ Ale mailing list
>>>>>> Ale at ale.org https://mail.ale.org/mailman/listinfo/ale See JOBS,
>>>>>> ANNOUNCE and SCHOOLS lists at
>>>>>> http://mail.ale.org/mailman/listinfo
>>>>
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> https://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

-- 
Site Reliability Engineer  (reuel.net/resume)
Scribe: The Domici War     (domiciwar.net)
General Ne'er-do-well      (github.com/LeamHall)


More information about the Ale mailing list