Best security practice for docker is to set --icc=false and --iptables in the docker daemon. How can I make these settings in docker-machine on Mac OS X?
docker-machine ssh default "echo $'EXTRA_ARGS=\"--icc=false\"' | sudo tee -a /var/lib/boot2docker/profile && sudo /etc/init.d/docker restart"
Basically ssh into the docker machine, update the /var/lib/boot2docker/profile and restart docker
Related
In one terminal I have a running container
docker container run --rm -it bash
In another terminal I want to run bin/bash in the same namespace as the running container above. For that to happen I followed these steps:
Grab the PID of the running container
docker inspect --format {{.State.Pid}} 32d7a757bc05
Let say the PID is 3386. When I run
sudo nsenter --target 3386 --mount --uts --ipc --net --pid bash
I get this error
nsenter: failed to execute bash: No such file or directory
But if I change bash to sh as below it works
sudo nsenter --target 3386 --mount --uts --ipc --net --pid sh
I'm on Centos 7, docker version 20.10.6 and as you have noticed I'm running my container from bash image. I cannot understand why bash is not working. Can someone please explain this?
Update
Just giving a little bit more background. I'm running my Centos as a Vagrant VM. I used vagrant ssh to connect to both terminals.
Vagrantfile
Vagrant.configure("2") do |config|
config.vm.box = "centos/7"
config.vm.provider "hyperv"
end
What you described actually worked for me:
sudo docker container run --rm -it bash
In a second terminal:
sudo nsenter --target 604861 --mount --uts --ipc --net --pid bash
bash-5.1# which bash
/usr/local/bin/bash
where I found the PID the way you described, using docker inspect --format {{.State.Pid}} CONTAINERID.
I am a beginner in docker . I have installed docker-ce in my ubuntu 18.04 machine using commandsudo apt install docker-ce
As part of a tutorial , I am trying to establish connection between containers by executing series of below commands.
Below command will turn on ports 1234/4321 to listen to traffic inside/outside of containers i'm going to use.
root#ghost-SVE9999CNS:/home/ghost# docker run --rm -ti -p 1234:1234 -p 4321:4321 --name echo-server ubuntu:18.04 bash
Now, I wanted to run netcat commands within docker bash terminal.
root#xxxyyyyzzzz12:/# nc -lp 1234 | nc -lp 4321
Once i inovke above command from my terminal.. Its giving errors "nc: command not found"
bash: nc: command not found
bash: nc: command not found
Later, I have done enough research and i never found any official docker solution for this problem.
Please could anyone help me out installing netcat within docker-ce.
I've tried commands like below.
apt-get install netstat
apt-get install nc
But, no luck.
nc is not installed by default on ubuntu:18.04 image, so you have to install it :
apt-get update && apt-get install -y netcat
apt-get update is necessary to first update list of packages (when the container is started, this list is empty). Once done, you can run nc -lp 1234 from the container.
To test all works as you expected, you can then :
run from a shell (on your host) something like telnet container_ip 1234 or telnet localhost 1234 (since ports have been forwarded)
type something
look at the container output to see what you typed in your host shell
It is not necessary to use ubuntu:18.04 to follow the tutorial, you can use ubuntu:14.04 for example, in which nc installed by default.
docker run --rm -ti -p 1234:1234 -p 4321:4321 --name echo-server ubuntu:14.04 bash
I need to log in to a bash console within a docker container, which runs in a remote host.
The following commands work:
(local)$ ssh -i myKey user#remoteHost
(remote)$ docker exec -it myContainer /bin/bash
Note that I use passwordless authentication with SSH. My scenario is a bit more involved, including a script to get into a single command (which would actually also figure out docker container ID), this is enough to show the problem. When I try to run in a single command, I get the following error:
(local)$ ssh -i myKey user#remoteHost "docker exec -it myContainer /bin/bash"
cannot enable tty mode on non tty input
How can I run this SSH and get past the "cannot enable tty" error?
Use the -t option (twice) with ssh:
ssh -tt -i myKey user#remoteHost docker exec -it myContainer /bin/bash
you can use the command (from your pc) docker-machine with this you are able to connect to the docker server (if the api are exposed) an manage the docker like your local environment (docker ps, docker run etc etc)
documentation:
https://docs.docker.com/machine/
I'm doing server side development and my workspace is located in D: because I'm not a fan of storing data on C: but just can't find a way to map d:\Workspace to /home/workspace
I've tried creating a symblink from C:\Users\username to D:\Workspace by:
map C:\Users\username\Workspace to /home/workspace
Stop container
rename C:\Users\username\Workspace
Create symlink named Workspace to D:\Workspace
Start container
At first Docker worked fine during that session until I restart Boot2Docker, then start the container I'd get "C:\Users\username\Workspace file exists".
I think this is one Docker's issue but anyways I want to map outside C:\Users.
Share workspace between host and Boot2Docker virtual machine
$ boot2docker down
$ cd "C:\Program Files\Oracle\VirtualBox"
$ VBoxManage sharedfolder add boot2docker-vm --name mydata --hostpath "D:\Workspace"
$ boot2docker up
Mount shared folder
$ boot2docker ssh 'sudo mkdir -p /data'
$ boot2docker ssh 'sudo mount -t vboxsf -o "defaults,uid=33,gid=33,rw" mydata /data'
Create data-only container. Docker best practices always recommends you use data-only containers. You can reuse already available data-only containers:
$ docker run --volume /data:/data --name mydata dylanlindgren/docker-laravel-data
If you want this change to be permanent, you need to add last command inside startup config file /var/lib/boot2docker/bootlocal.sh
sleep 10 && sudo mount -t vboxsf -o "defaults,uid=33,gid=33,rw" mydata /data
docker start mydata
Then, you will have your workspace mounted at /data
You can find more documentation about VirtualBox Guest Additions in Boot2Docker here.
Updated answer for now, as boot2docker has been deprecated.
The same is now achieved with docker-machine.
The answer is described here: https://github.com/docker/machine/issues/1814
Basically, after mounting the shared folders in the Virtual Box UI, you need to run the following commands in a command prompt:
# Note the extra / at the beginning of the path because of msys/MinGW.
docker-machine.exe ssh default 'sudo mkdir --parents //e/Documents/workspace'
docker-machine.exe ssh default 'sudo mount -t vboxsf e/Documents/workspace //e/Documents/workspace'
I'm running boot2docker 1.3 on Win7.
I want to connect a shared folder.
In the VirtualBox Manager under the image properties->shared folders I've added the folder I've want and named it "c/shared". The "auto-mount" and "make permanent" boxes are checked.
When boot2docker boots, it isn't mounted though. I have to do an additional:
sudo mount -t vboxsf c/shared /c/shared
for it to show up.
Since I need that for every time I'll ever use docker, I'd like that to just run on boot, or just already be there. So I thought if there were some startup script I could add, but I can't seem to find where that would be.
Thanks
EDIT: It's yelling at me about this being a duplicate of Boot2Docker on Mac - Accessing Local Files which is a different question. I wanted to mount a folder that wasn't one of the defaults such as /User on OSX or /c/Users on windows. And I'm specifically asking for startup scripts.
/var/lib/boot2docker/bootlocal.sh fits your need probably, it will be run by initial script /opt/bootscripts.sh
And bootscripts.sh will also put the output into the /var/log/bootlocal.log, see segment below (boot2docker 1.3.1 version)
# Allow local HD customisation
if [ -e /var/lib/boot2docker/bootlocal.sh ]; then
/var/lib/boot2docker/bootlocal.sh > /var/log/bootlocal.log 2>&1 &
fi
One use case for me is
I usually put shared directory as /c/Users/larry/shared, then I add script
#/bin/bash
ln -s /c/Users/larry/shared /home/docker/shared
So each time, I can access ~/shared in boot2docker as the same as in host
see FAQ.md (provided by #KCD)
If using boot2docker (Windows) you should do following:
First create shared folder for boot2docker VM:
"C:/Program Files/Oracle/VirtualBox/VBoxManage" sharedfolder add default -name some_shared_folder -hostpath /c/some/path/on/your/windows/box
#Then make this folder automount
docker-machine ssh
vi /var/lib/boot2docker/profile
Add following at the end of profile file:
sudo mkdir /windows_share
sudo mount -t vboxsf some_shared_folder /windows_share
Restart docker-machine
docker-machine restart
Verify that folder content is visible in boot2docker:
docker-machine ssh
ls -al /windows_share
Now you can mount the folder either using docker run or docker-compose.
Eg:
docker run it --rm --volume /windows_share:/windows_share ubuntu /bin/bash
ls -al /windows_share
If changes in the profile file are lost after VM or Windows restart please do following:
1) Edit file C:\Program Files\Docker Toolbox\start.sh and comment out following line:
#line number 44 (or somewhere around that)
yes | "${DOCKER_MACHINE}" regenerate-certs "${VM}"
#change the line above to:
# yes | "${DOCKER_MACHINE}" regenerate-certs "${VM}"
Thanks for your help with this. An additional few flags I needed to add, in order for the new mount to be accessible by the boot2docker "docker" user:
sudo mount -t vboxsf -o umask=0022,gid=50,uid=1000 Ext-HD /Volumes/Ext-HD
With docker 1.3 you do not need to manually mount anymore. Volumes should work properly as long as the source on the host vm is in your user directory.
https://blog.docker.com/2014/10/docker-1-3-signed-images-process-injection-security-options-mac-shared-directories/
I can't make it work following Larry Cai's instruction. I figured I could make changes to "c:\Program Files\Boot2Docker for Windows\start.sh", add below
eval "$(./boot2docker.exe shellinit 2>/dev/null | sed 's,\\,\\\\,g')"
your mount command
eval "$(./boot2docker ssh 'sudo mount -t vboxsf c/shared /c/shared')"
I also add the command to start my container here.
eval "$(docker start KDP)"