Docker to encapsulate a process
-
So here's the thing. A container holds a single process, and runs it in a sandbox that's sure to be the same environment every time, with all the dependencies. Usually these are long-running processes like web servers. But.... is there any reason I can't use them like executables, to run a process once and exit? For example, if I have a node.js program and I want anyone to be able to run it without installing Node and a billion dependencies, can I do the install once, package it in a container that has the version of Node I want, and put that in a repo for people to download and run on demand?
-
@Yamikuronue I see no reason why not. After all, a container is just a way to deploy an thing, is it not?
-
that sounds like exactly what docker is made for.
in fact the only down side i can thing of is that by design any user with permission to run the
docker
command must be treated as if they were root as it is trivial to use docker to root escalate on the host machine.I have no idea why the docker team believes that is desireable, nor how they apparently do not consider it a security risk (their docs simply call out that anyone who can run docker is effectively root)
-
@accalia Yeah, my teammates were talking about that the other day. It's maybe a problem, but we're not sure how big of one.
-
docker run --rm
is your friend.
-
This amuses me
-
@accalia I'm being told the docs updated last night at like 9pm and now they don't recommend running as root anymore. They have a huge section about AppArmor and SecComp for locking down what the daemon can do if it gets compromised: https://docs.docker.com/engine/security/apparmor/
-
@Yamikuronue said in Docker to encapsulate a process:
@accalia I'm being told the docs updated last night at like 9pm and now they don't recommend running as root anymore. They have a huge section about AppArmor and SecComp for locking down what the daemon can do if it gets compromised: https://docs.docker.com/engine/security/apparmor/
oh hey. someone finally found a clueby four that was large enough to get the idea that giving easy escalation to root to the processes in containers might be a bad idea into their tiny heads.
that's only been an issue since i don';t know..... the first alpha release of docker?
-
@Yamikuronue said in Docker to encapsulate a process:
@accalia I'm being told the docs updated last night at like 9pm and now they don't recommend running as root anymore. They have a huge section about AppArmor and SecComp for locking down what the daemon can do if it gets compromised: https://docs.docker.com/engine/security/apparmor/
If that's what I think it is, it only affects containers and not the users that create them. You can still disable all the security stuff on the
docker run
command.
-
We're actually planning to use Docker to spin up instances of a slow legacy app as a service, so we can replicate instances and wind them down quickly afterward. We got it mostly working before we got pulled to other work. And this was all on Windows!
It seems to work well for that sort of thing.
-
@Magus just FYI, Docker on Windows means you can't run any VMs on that system.
-
@ben_lubar Yes, well, our goal is to run it on some mysterious Azure plane, so that isn't really a concern.
-
-
@RaceProUK I meant the other definition, but I admit, that thing is pretty cloud-related.
-
@accalia said in Docker to encapsulate a process:
that sounds like exactly what docker is made for.
in fact the only down side i can thing of is that by design any user with permission to run the
docker
command must be treated as if they were root as it is trivial to use docker to root escalate on the host machine.I have no idea why the docker team believes that is desireable, nor how they apparently do not consider it a security risk (their docs simply call out that anyone who can run docker is effectively root)
That may be on the kernel folks - they believe creating the relevant new namespaces is a privileged operation. See http://man7.org/linux/man-pages/man2/clone.2.html .
-
@Yamikuronue It isn't.
-
But serious do this instead of docker http://stackoverflow.com/a/22228406
-
@lucas1 ...but then you'd have Node on you.
-
@masonwheeler if it does the job I don't care what the tech is.
-
@masonwheeler said in Docker to encapsulate a process:
@lucas1 ...but then you'd have Node on you.
From the OP
@Yamikuronue said in Docker to encapsulate a process:
For example, if I have a node.js program and I want anyone to be able to run it without installing Node and a billion dependencies
She's already
stuck in that shitusing Node