Docker and STAR software walkthrough
On sl7alpha.star.bnl.gov (Scientific Linux 7.1):
Get a minimal Scientific Linux 6.5 image from the docker.io Hub (how to create one from scratch? There is a bit of a security concern for instance just blindly using someone else's image, see for instance https://titanous.com/posts/docker-insecurity ):
[wbetts@sl7alpha ~]$ docker pull ringo/scientific:6.5 Trying to pull repository registry.access.redhat.com/ringo/scientific ... not found Trying to pull repository docker.io/ringo/scientific ... 1a2eb0bba51b: Download complete ae0b1be0b6ae: Download complete Status: Downloaded newer image for docker.io/ringo/scientific:6.5
The initial size is quite small at 322.8MB:
[wbetts@sl7alpha ~]$ docker images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE docker.io/ringo/scientific 6.5 1a2eb0bba51b 12 months ago 322.8 MBThis image doesn't even have tcsh, so start it with an interactive bash shell and install tcsh as an example and add an rhstar group and a staruser account:
[wbetts@sl7alpha ~]$ docker run -t -i 1a2eb0bba51b /bin/bash bash-4.1# whoami root bash-4.1# cat /etc/redhat-release Scientific Linux release 6.5 (Carbon) bash-4.1# yum install tcsh Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package tcsh.x86_64 0:6.17-24.el6 will be installed --> Finished Dependency Resolution <snip> Total download size: 413 k Installed size: 1.1 M Is this ok [y/N]: y <snip> Installed: tcsh.x86_64 0:6.17-24.el6 Complete! bash-4.1# groupadd -g 31012 rhstar bash-4.1# useradd -c "generic STAR user" -g 31012 -u 1669 -s /bin/tcsh staruser bash-4.1# exit exit
Use "docker ps -l" to get the container ID for the just exited container (8e01ebdbe6c2) and commit the change:
[wbetts@sl7alpha ~]$ docker commit -a "W. Betts <wbetts@bnl.gov>" -m "installed tcsh and added staruser:rhstar" 8e01ebdbe6c2 71d8cd46c1b1a8e4b9fa9598c83022475c3bf96457e3b3124a1cf9aed7ed9846 [wbetts@sl7alpha ~]$ docker run -t -i 71d8cd46c1b1a8e4b9fa9598c83022475c3bf96457e3b3124a1cf9aed7ed9846 /bin/tcsh
Extraneous notes:
0) The docker-registry v2 API is a bit better (and actually usable) compared to the v1 API that is used with the epel-released docker-registry 0.9.0-1 for el6. While it is easy to get a recent docker-registry running following simple steps found at https://docs.docker.com/registry/deploying/ (which I did sl7alpha), I don't know how to make it permanent or start at boot along with Docker, since unlike the epel RPM, there is no service (or systemd) init for it.
1) the staruser user account and the rhstar group were created on sl7alpha with matching UID and GID as used for the installstar policy and script. The wbetts and staruser accounts are added to the rhstar group, and the group ownership of /var/run/docker.sock is changed to rhstar (which must be done on every docker service start - could be a big problem for remote use - docker releases at some point eliminated the docker group as part of the installation - see for instance:
https://lists.projectatomic.io/projectatomic-archives/atomic-devel/2015-January/msg00034.html
https://bugzilla.redhat.com/show_bug.cgi?id=1195525
https://docs.docker.com/articles/security/#docker-daemon-attack-surface
2) With SELinux enforcing, I was unable to add the staruser user and rhstar group within the container/image. SELinux has been changed to "permissive".
3) To allow X11 apps, the following works. (Could possibly be reduced. Also, it would be better if the host system did not need the staruser account; details to be looked into)
[staruser@sl7alpha ~]$ docker run --net host -u staruser:rhstar -t -i -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix -v /home/staruser/.Xauthority:/home/staruser/.Xauthority 60b8846ddaca /bin/tcsh
Groups:
- wbetts's blog
- Login or register to post comments