p8952 / bocker Goto Github PK

Ideally uuidgen should be used, but in the current implementation this will not work due to interface names being generated based on uuid's.

@p8952 @frohoff @tst2005
At the moment I have no host to test it...

Is it possible to manipulate the host from inside of a bocker container or is there isolation (by cgroup?! haven't used it before...)

Simple unshare with chroot and proc mounted isn't isolated.

cgcreate -g "$cgroups:/$uuid"
	: "${BOCKER_CPU_SHARE:=512}" && cgset -r cpu.shares="$BOCKER_CPU_SHARE" "$uuid"
	: "${BOCKER_MEM_LIMIT:=512}" && cgset -r memory.limit_in_bytes="$((BOCKER_MEM_LIMIT * 1000000))" "$uuid"
	cgexec -g "$cgroups:$uuid" \
		ip netns exec netns_"$uuid" \
		unshare -fmuip --mount-proc \
		chroot "$btrfs_path/$uuid" \
		/bin/sh -c "/bin/mount -t proc proc /proc && $cmd" \
		2>&1 | tee "$btrfs_path/$uuid/$uuid.log" || true
	ip link del dev veth0_"$uuid"
	ip netns del netns_"$uuid"

If not that executed inside of a Container will reboot the host.

echo 1 > /proc/sys/kernel/sysrq
echo b > /proc/sysrq-trigger

Bocker exec fails always, it just outputs a long list of increasing integers. Am I doing something wrong, or is this a bug? I can't find any documentation about exec. All the other commands are working.

.

@p8952

Hi,

A question, why did you choose this MAC address prefix specifically: "02:42:ac:11:00"?

Could it harm if I want to change it?

bocker pull does not support public registry, can't pull from there anymore.

The api has switched to v2, and the v1 does not seem to work anymore...

Note in bocker_pull there is a call to manipulate $IFS and then an attempt to revert it by using unset IFS however the default $IFS is actually $' \n\t'. Unsetting $IFS like that I believe will globally affect white space splitting.

~ $ [[ $IFS == $' \t\n' ]] && echo true
true
~ $ read a b <<< "1 2"; echo $a
1
~ $ IFS='' read a b <<< "1 2"; echo $a
1 2

I would love to understand what each of the commands do, and how they all fit together to arrive at a cohesive solution.

It would be great if there was a blog post (or series of blog posts) with discussion and diagrams of the concepts behind making this work.

I was just exploring data mounts and some thing like this

unshare -m -- /bin/sh -c "mount -o bind,noexec,nosuid,nodev /var/bocker/shared '$btrfs_path/$uuid'/var/www/data"

seems to work well enough for basic host to container mounts.

Apart from iptables, socat is also a excellent option for port forwarding with a simple one liner;

socat TCP-LISTEN:80,fork TCP:10.0.0.2:80

See #15

This would prevent you from running two webservers on port 80, for instance. If doing dhcp isn't possible, the next best thing would be to maintain a list of currently used IPs.

It looks like bocker run bash works, but there is no way I can get a prompt. Even 'export PS1="$ "' doesn't work. It is not that big of a problem, but I'm afraid this will just be the tip of the iceberg.