<html><head></head><body><div dir="auto">Does that mean that Docker doesn't still by default use privilege containers?<br>I didn't see that question answered.</div><br><br><div class="gmail_quote"><div dir="auto">On July 4, 2024 9:07:37 AM EDT, Jim Kinney via Ale <ale@ale.org> wrote:</div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div dir="auto">That's why singularity started and RHEL did their version to also add in selinux. Container root should not be host root.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jul 4, 2024, 8:46 AM DJPfulio--- via Ale <<a href="mailto:ale@ale.org">ale@ale.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">At the risk of showing my ignorance, has docker changed their default so that using privileged containers is a hassle and not the default? That's a huge reason I've avoided Docker completely.<br>
<br>
<br>
On 7/4/24 07:18, Leam Hall via Ale wrote:<br>
> And eventually I remember that docker run has a -d switch...<br>
> <br>
> Leam<br>
> <br>
> <br>
> On 6/30/24 21:14, Mark Ulmer wrote:<br>
>> Leam, I've run into the same issues... I just could not get<br>
>> systemctl enable and start commands to work. Here is the final<br>
>> docker file that works. I added yum update.<br>
>> <br>
>> FROM amazonlinux:latest RUN yum update -y RUN yum install -y<br>
>> iproute sysstat procps-ng httpd EXPOSE 80 CMD<br>
>> ["httpd","-D","FOREGROUND"]<br>
>> <br>
>> <br>
>> I suggest also adding the docker run example to your HOWTO.<br>
>> <br>
>> docker run --name amzl_web -p 8080:80 <a href="http://docker.io/library/amzl_web" rel="noreferrer noreferrer" target="_blank">docker.io/library/amzl_web</a><br>
>> <br>
>> <br>
>> Regards, Mark Ulmer<br>
>> <br>
>> <br>
>> ------ Original Message ------<br>
>>> From "Leam Hall via Ale" <<a href="mailto:ale@ale.org" target="_blank" rel="noreferrer">ale@ale.org</a>><br>
>> To "Atlanta Linux Enthusiasts" <<a href="mailto:ale@ale.org" target="_blank" rel="noreferrer">ale@ale.org</a>> Cc "Leam Hall"<br>
>> <<a href="mailto:leamhall@gmail.com" target="_blank" rel="noreferrer">leamhall@gmail.com</a>> Date 6/29/2024 9:09:08 AM Subject [ale] Would<br>
>> you mind critiquing a container build HOWTO?<br>
>> <br>
>>> Hey container-savvy peeps, would you mind critiquing a short<br>
>>> HOWTO (below) on getting an Amazon Linux container to run<br>
>>> locally? I'm doing some AWS study and want to put together a more<br>
>>> concise document that will let folks try out AWS without having<br>
>>> to reroute through a dozen documents to resolve basic tasks.<br>
>>> <br>
>>> Thanks!<br>
>>> <br>
>>> Leam -- Site Reliability Engineer (<a href="http://reuel.net/resume" rel="noreferrer noreferrer" target="_blank">reuel.net/resume</a>) Scribe: The<br>
>>> Domici War (<a href="http://domiciwar.net" rel="noreferrer noreferrer" target="_blank">domiciwar.net</a>) General Ne'er-do-well<br>
>>> (<a href="http://github.com/LeamHall" rel="noreferrer noreferrer" target="_blank">github.com/LeamHall</a>)<br>
>>> <br>
>>> <br>
>>> <br>
>>> <br>
>>> My hypothesis is that running Amazon Linux in EC2 would be more<br>
>>> performant than other Linux versions because the AWS engineers<br>
>>> could tune their OS distribution to their platform.<br>
>>> <br>
>>> To test, I began by building an Amazon Linux container locally.<br>
>>> This would allow investigating the OS itself, and then knowing<br>
>>> how to configure it for use and observability. This quickly ran<br>
>>> into the issue of portablity, while Amazon does have a container<br>
>>> image on the Docker Hub, it doesn't run in standalone mode and it<br>
>>> is missing basic sysadmin tools like "ps".<br>
>>> <br>
>>> So far a kludge resolves the stand-alone issue, but I'd like to<br>
>>> find a better solution. Here's the annotated Dockerfile and<br>
>>> commands used.<br>
>>> <br>
>>> <br>
>>> FROM amazonlinux:latest (1) RUN yum install<br>
>>> iproute sysstat procps-ng httpd -y (2)(6)(7)(8)(9) # RUN httpd<br>
>>> -k start (3) # RUN systemctl start httpd<br>
>>> (4) ENTRYPOINT ["/usr/sbin/httpd"] (5) CMD<br>
>>> ["-DFOREGROUND"]<br>
>>> <br>
>>> <br>
>>> (1)<br>
>>> <a href="https://docs.aws.amazon.com/linux/al2023/ug/base-container.html" rel="noreferrer noreferrer" target="_blank">https://docs.aws.amazon.com/linux/al2023/ug/base-container.html</a> <br>
>>> (2) Adding some observability tools and httpd to keep the thing<br>
>>> up. (3) This just exits out. (4) This fails with:<br>
>>>> [3/4] RUN systemctl start httpd:<br>
>>> 0.976 System has not been booted with systemd as init system (PID<br>
>>> 1). Can't operate. 0.976 Failed to connect to bus: Host is down <br>
>>> (5) This ENTRYPOINT and CMD pair works. (6) iproute gives the<br>
>>> "ip" command. (7) sysstat gives the sar, pidstat, vmstat,<br>
>>> iostat, and mpstat commands. (8) procps-ng gives the "ps"<br>
>>> command. (9) httpd is required to have a running process,<br>
>>> otherwise the container shuts down.<br>
>>> <br>
>>> <br>
>>> Commands:<br>
>>> <br>
>>> Get the container image (<a href="https://hub.docker.com/_/amazonlinux" rel="noreferrer noreferrer" target="_blank">https://hub.docker.com/_/amazonlinux</a>). <br>
>>> docker pull amazonlinux<br>
>>> <br>
>>> In the directory with the Dockerfile. Note the ending ".". docker<br>
>>> build -t amzl_web .<br>
>>> <br>
>>> You must also start it with "&" to regain your terminal window. <br>
>>> docker run amzl_web &<br>
>>> <br>
>>> Connect to the container. docker exec -it <container_name><br>
>>> /bin/bash<br>
>>> <br>
>>> _______________________________________________ Ale mailing list <br>
>>> <a href="mailto:Ale@ale.org" target="_blank" rel="noreferrer">Ale@ale.org</a> <a href="https://mail.ale.org/mailman/listinfo/ale" rel="noreferrer noreferrer" target="_blank">https://mail.ale.org/mailman/listinfo/ale</a> See JOBS,<br>
>>> ANNOUNCE and SCHOOLS lists at <br>
>>> <a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
> <br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank" rel="noreferrer">Ale@ale.org</a><br>
<a href="https://mail.ale.org/mailman/listinfo/ale" rel="noreferrer noreferrer" target="_blank">https://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div>
</blockquote></div></body></html>