Comments (6)
I'm going from the basic assumption that intent of whalebrew is that any "command you install from an image" will otherwise work as if it was installed natively.
From a security standpoint, my thought is that the best thing to do would be to create a /syncdir
on each image, and then sync any paths in the exact same tree they resolve to on the host, only nested underneath /syncdir
.
This means that whalebrew will need to evaluate any valid path expression, and map a container volume in the following container container:/syncdir/resolved/path
to the according host volume: host:/resolved/path
.
from whalebrew.
will need to evaluate any valid path expression
Exception would be if the path expression is passed explicitly as a string. ( some/path/dir
would be given a host:container mount, but 'some/path/dir'
would not).
from whalebrew.
@LongLiveCHIEF Sounds good! And presumably Whalebrew would then modify the argument, passing it fully resolved and prepended with /syncdir
?
Some additional thoughts:
- I wonder if this is going to cause issues with commands which expect paths to be correct. e.g. tarballs with absolute filenames will be messed up
- Log messages to the user are going to have confusing paths in them
- I wonder if we can replace
/workdir
with this, too. Would be neat to just have a directory which is/hostfs
or something, with specific files from the host mounted in their correct place.
from whalebrew.
I wonder if this is going to cause issues with commands which expect paths to be correct. e.g. tarballs with absolute filenames will be messed up
Can you give an example?
Log messages to the user are going to have confusing paths in them
Didn't consider that, but I wonder if we could use a stream transformer to strip any /syncdir
references from stdout/stderr? I'm still getting familiar with the codebase, so this could be a completely valid, or completely absurd suggestion.
I wonder if we can replace /workdir with this, too. Would be neat to just have a directory which is /hostfs or something, with specific files from the host mounted in their correct place.
My gut says yes, but I think setting the workdir from the run command is going to be important, so we'd have to make sure to modify the -w
param to prepend /hostfs
or whatever we wind up calling it.
from whalebrew.
We'd also need to think through whether or not we could execute images that need access to host devices, and how any solution we create here might interfere with host device path mappings into the container.
Packer is a great example of this. For example, when I use the packer docker image to create a virtualbox iso, I need to mount -v /dev/vbox:/dev/vbox
.
My guess is though, that we'd handle this using io.homebrew.volumes
. (so I guess that would answer the question "should we keep the io.homebrew.volumes
label support?)
from whalebrew.
Whalebrew could match arguments which look a bit like a path, then additionally mount those inside the container
I like the idea about reading the arguments, not about doing magic detection
Could an additional label "volumes-from-args"� do the job?
from whalebrew.
Related Issues (20)
- Add ARM/ARM64 support HOT 14
- whalebrew search panics when called without arguments HOT 3
- Labels not working as expected HOT 3
- Immediate failure for `whalebrew search` on macOS Mojave with whalebrew 0.2.5 HOT 3
- Validate `io.whalebrew.*` labels HOT 1
- Make it work as non-admin HOT 3
- Ensure plain support of OCI images
- Add search support for Harbour docker registry
- Add search support for AWS docker registry
- Add search support for GCP docker registry
- whalebrew search does not list packages HOT 2
- Option to run a package without `-it` HOT 3
- terraform outdated HOT 5
- [Ideas] Apple Silicon (ARM64) Docker bitfmt support in Whalebrew HOT 5
- Broken uninstall (on brew version) HOT 3
- Warning for most packages on m1 macs HOT 1
- Improve Install Path handling HOT 3
- Was 0.4.0 re-tagged? HOT 4
- Is the docker daemon running? (Oh yes it is!) HOT 11
- podman support HOT 12
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from whalebrew.