0e32ed92c0fc13361e6f5c8ed09eadcbbe07b31b
compute/docker.md
| ... | ... | @@ -1,12 +1,33 @@ |
| 1 | 1 | <!-- TITLE: Docker --> |
| 2 | 2 | <!-- SUBTITLE: Docker stuff --> |
| 3 | 3 | |
| 4 | -# Processes |
|
| 4 | +# Tricks |
|
| 5 | +## ssh |
|
| 6 | +Images should run as non-root, arbitrary users but that makes anything that uses ssh (like git) a pain in the ass. ssh expects a username for the running UID, which you might not have at runtime. |
|
| 7 | +Fake it out and pretend to be root with libuidwrapper and a homedir that you can create at runtime as the running user: |
|
| 8 | +``` |
|
| 9 | +Dockerfile: |
|
| 10 | +RUN apt update && apt -y install ... libuid-wrapper |
|
| 11 | +RUN sed -i 's|:/root:|:/var/tmp/user:|' /etc/passwd |
|
| 12 | +``` |
|
| 13 | +Not using 'usermod -d' there because it doesn't work for root. |
|
| 14 | +``` |
|
| 15 | +ENTRYPOINT/CMD wrapper script: |
|
| 16 | +export HOME=/var/tmp/user |
|
| 17 | +mkdir -p "$HOME/.ssh" |
|
| 18 | +chmod 700 "$HOME" |
|
| 19 | +chmod 700 "$HOME"/.ssh |
|
| 20 | +export LD_PRELOAD=libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT=1 |
|
| 21 | +/app/do-ssh-stuff.py |
|
| 22 | +``` |
|
| 23 | +Note that this doesn't _change_ your uid, it just makes ssh look up usernames and homedirs for root instead of the running uid. |
|
| 24 | +# Debug |
|
| 25 | +## Processes |
|
| 5 | 26 | Find docker processes from system shell |
| 6 | 27 | `# docker ps` |
| 7 | 28 | `# ps -eo pid,cgroup,cmd | grep <first 8 chars of containerID>` |
| 8 | 29 | |
| 9 | -# Network |
|
| 30 | +## Network |
|
| 10 | 31 | Look at the network config from a container's namespace |
| 11 | 32 | `# nsenter -t $(docker inspect --format '{{.State.Pid}}' <containerid>) -n ip {addr|route|...}` |
| 12 | 33 | or run bash instead of ip to get a shell in the namespace. |
| ... | ... | \ No newline at end of file |