{{tag>Brouillon Docker RedHat Debian Conteneur LVM}}
= Notes Docker
Voir :
* ''namespace.unpriv_enable=1''
* [[Scan de vulnérabilité pour les images de conteneurs]]
Voir aussi OpenContainers :
* https://www.opencontainers.org/
* https://github.com/opencontainers/runtime-tools
A lire :
* https://docs.docker.com/get-started/
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html-single/getting_started_with_containers
* http://nkhare.github.io/data_and_network_containers/storage_backends/
* https://docs.oracle.com/cd/E52668_01/E75728/html/docker_admin_config.html
Django: Mise en place de l’HTTPS via Nginx
* https://nextcloud.inrae.fr/s/gtSrdE98Knp7HGf?openfile=true
Mise en production de Django via Docker
* https://nextcloud.inrae.fr/s/rdMSmet4miWkz8Q?openfile=true
Docker et sécurité :
* https://resinfo.org/IMG/pdf/secu-docker.pdf
Autre :
* https://docs.oracle.com/en/operating-systems/oracle-linux/9/relnotes9.4/ol9-features-Containers.html
== Trouver et activer les bons dépôts
https://access.redhat.com/downloads/content/package-browser
| **App** | **Dépôt RedHat** |
| Système OS | rhel-7-server-rpms |
| Docker | rhel-7-server-extras-rpms |
| PHP-FPM | rhel-7-server-optional-rpms |
== Install
=== Prérequis
Vérifier les prérequis :
# https://github.com/moby/moby/blob/master/contrib/check-config.sh
https://github.com/opencontainers/runc/blob/main/script/check-config.sh
=== Debian
'' /etc/default/grub''
GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"
update-grub
=== RedHat
#grubby --args="user_namespace.enable=1" --update-kernel=/boot/vmlinuz-$(uname -r)
#grubby --args="user_namespace.enable=1" --update-kernel=$(grubby --default-kernel)
grubby --args="user_namespace.enable=1" --update-kernel=ALL
Install paquets
yum install docker-latest #docker #docker-distribution
=== Si conf proxy Docker et SystemD
Voir https://docs.docker.com/engine/admin/systemd/#httphttps-proxy
mkdir /etc/systemd/system/docker-latest.service.d
''/etc/systemd/system/docker-latest.service.d/http-proxy.conf''
[Service]
# Environment = "HTTP_PROXY=http://192.168.56.1:3128/" "HTTPS_PROXY=http://192.168.56.1:3128/"
Environment = "http_proxy=http://192.168.56.1:3128/" "https_proxy=http://192.168.56.1:3128/"
#systemctl restart docker
#systemctl enable docker
systemctl daemon-reload
systemctl restart docker-latest
systemctl enable docker-latest
Vérif
systemctl show --property=Environment docker-latest
== Sécurité
Voir :
* https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html
* https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf
* https://docs.oracle.com/en/operating-systems/oracle-linux/podman/podman-SecurityRecommendations.html
* https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
* https://github.com/OWASP/Docker-Security
* https://wiki.owasp.org/images/d/df/Dirk_Wetter_-_Docker_Top10-AMS.pdf
* https://connect.ed-diamond.com/MISC/misc-113/attaques-en-environnement-docker-compromission-et-evasion
=== Droits pour utilisateur non root
**¡¡¡ Attention, grosse faille de sécu !!!**
docker run -ti --privileged -v /:/host debian chroot /host
docker run -ti --userns=host --privileged -v /:/host debian chroot /host
#List images to use one
docker images
#Run the image mounting the host disk and chroot on it
docker run -it -v /:/host/ ubuntu:18.04 chroot /host/ bash
# Get full access to the host via ns pid and nsenter cli
docker run -it --rm --pid=host --privileged ubuntu bash
nsenter --target 1 --mount --uts --ipc --net --pid -- bash
# Get full privs in container without --privileged
docker run -it -v /:/host/ --cap-add=ALL --security-opt apparmor=unconfined --security-opt seccomp=unconfined --security-opt label:disable --pid=host --userns=host --uts=host --cgroupns=host ubuntu chroot /host/ bash
Voir :
* ''--security-opt apparmor=unconfined''
* ''--security-opt seccomp=unconfined''
* ''--security-opt label:disable''
Voir : http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/
ls -l /var/run/docker.sock
groupadd docker
usermod -aG docker process
#chgrp docker /var/run/docker.sock
#systemctl restart docker
systemctl restart docker-latest
Voir :
* Podman
* kata-containers
=== Droits montage
docker run -v /mnt:/mnt:ro
doesn't really make /mnt inside the container read-only
Submounts like /mnt/usbdisk are writable
==== Autres - seccomp
https://docs.docker.com/engine/security/apparmor/
docker run --rm -it --security-opt seccomp=unconfined debian:jessie unshare --map-root-user --user sh -c whoami
== Espace de nom (namespace)
** Le fichier ''/etc/sysconfig/docker'' n'est pas utilisé avec SystemD**
''/etc/sysconfig/docker''
#OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false'
A la place (** Attention, a vérifier, fichier crée sur une Debian**)
Pour activer le namespace
''"userns-remap": "default"''
sysctl -w kernel.unprivileged_userns_clone=1
''/etc/docker/daemon.json''
{
"userns-remap": "default",
"log-driver": "journald",
"storage-driver": "devicemapper",
"graph": "/var/lib/docker",
"storage-opts": [
"dm.thinpooldev=/dev/mapper/vgos-docker0",
"dm.metadatadev=/dev/mapper/vgos-docker0meta",
"dm.use_deferred_removal=true",
"dm.use_deferred_deletion=true"
]
}
Voir :
man dockerd
docker daemon --help
systemctl daemon-reload
== Stockage
Info :
docker info | grep "Data Space"
device-mapper-driver
lvcreate -y -l 1%FREE -n docker0meta vgos
lvcreate -y -l 95%FREE -n docker0 vgos
lvconvert -y \
--zero n \
-c 512K \
--thinpool vgos/docker0 \
--poolmetadata vgos/docker0meta
mkdir /etc/lvm/profile/
''/etc/lvm/profile/docker-thinpool.profile''
activation {
thin_pool_autoextend_threshold=80
thin_pool_autoextend_percent=20
}
lvchange --metadataprofile docker-thinpool vgos/docker0
lvs -o+seg_monitor
Pour identifier les conteneurs utilisant un volume spécifique
docker ps -a --filter volume=data-nfs3
=== Notes RedHat
''/usr/lib/docker-storage-setup/docker-storage-setup''
The Docker config is ''--storage-driver=devicemapper --storage-opt dm.thinpooldev=/dev/mapper/docker-pool0''
docker-storage-setup
''/etc/sysconfig/docker-storage''
#DOCKER_STORAGE_OPTIONS="--storage-driver devicemapper --storage-opt dm.fs=xfs --storage-opt dm.thinpooldev=/dev/mapper/rhel-docker--pool --storage-opt dm.use_deferred_removal=true "
DOCKER_STORAGE_OPTIONS="--storage-driver devicemapper --storage-opt dm.fs=xfs --storage-opt dm.thinpooldev=/dev/mapper/rhel-docker0 --storage-opt dm.use_deferred_removal=true "
Voir aussi :
* /usr/lib/docker-storage-setup/docker-storage-setup
=== Debian
https://stackoverflow.com/questions/40162022/direct-lvm-stops-working-after-reboot
apt-get install thin-provisioning-tools
=== RedHat 7
docker-latest
à la 1ere install
''/etc/sysconfig/docker-latest-storage''
# This file may be automatically generated by an installation program.
# By default, Docker uses a loopback-mounted sparse file in
# /var/lib/docker. The loopback makes it slower, and there are some
# restrictive defaults, such as 100GB max storage.
# If your installation did not set a custom storage for Docker, you
# may do it below.
# Example: Use a custom pair of raw logical volumes (one for metadata,
# one for data).
# DOCKER_STORAGE_OPTIONS = --storage-opt dm.metadatadev=/dev/mylogvol/my-docker-metadata --storage-opt dm.datadev=/dev/mylogvol/my-docker-data
DOCKER_STORAGE_OPTIONS=
== Réseau
=== List Docker Container Names and IPs
function drips(){
docker ps -q | xargs -n 1 docker inspect --format '{{ .NetworkSettings.IPAddress }} {{ .Name }}' | sed 's/ \// /'
}
Source : https://gist.github.com/ipedrazas/2c93f6e74737d1f8a791
=== /etc/hosts
Default gateway \\
Le hôte du container est indiqué par ''host.containers.internal'' (podman)
''/etc/hosts''
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.246.223.27 srv1.acme.local srv1
10.88.0.1 host.containers.internal
10.88.0.176 1264dc4981c1 boring_chaplygin
=== Conf Default bridge VLAN
''/etc/docker/daemon.json''
{
"bip": "192.168.10.1/24"
}
== Vérif
docker info |grep -i warn
systemctl status docker
== Import / Export images Docker
Enregistrer / Sauvegarder l'image Docker(tarball) :
docker save -o
Importer l'image sur un autre système, par exemple
docker load -i
== Debug
Test
docker run --rm hello-world
#systemctl stop docker
systemctl stop docker-latest ; rm -rf /var/lib/docker ; /usr/bin/docker daemon --debug --storage-driver 'devicemapper' --storage-opt 'dm.thinpooldev=/dev/mapper/docker-pool0' --storage-opt 'dm.fs=xfs' --storage-opt 'dm.use_deferred_removal=true'
== Autres
Dépôt (Docker Registry)
* https://sites.google.com/site/grow4wiki/documentation/docker
=== Architecture x86 amd64 arm
docker run --platform linux/amd64 --publish 8000:8080 ghcr.io/mermaid-js/mermaid-live-editor
=== Notes brouillon
==== Namespace
Voir :
* https://blog.yadutaf.fr/2016/04/14/docker-for-your-users-introducing-user-namespace/
* https://www.devoteam.com/fr/expert-view/la-migration-vers-podman-est-elle-la-solution-pour-se-passer-de-docker/
''/etc/subuid''
dockremap:100000:65536
''/etc/subgid''
dockremap:100000:65536
== Perf strest test pour prod
https://hub.docker.com/r/monitoringartist/docker-killer/
== Pb
docker run --rm hello-world
nsenter: unable to unshare namespaces: Invalid argument
container_linux.go:247: starting container process caused "process_linux.go:245: running exec setns process for init caused \"exit status 1\""
/usr/bin/docker-current: Error response from daemon: invalid header field value "oci runtime error: container_linux.go:247: starting container process caused \"process_linux.go:245: running exec setns process for init caused \\\"exit status 1\\\"\"\n".
--------
= Notes Docker old
Note sécurité :
* http://w3blog.fr/2016/02/23/docker-securite-10-bonnes-pratiques/
Voir :
* http://blog.kaliop.com/blog/2015/05/26/docker-dans-la-vraie-vie-les-parties-delicates/
* http://merrigrove.blogspot.fr/2015/10/visualizing-docker-containers-and-images.html
* http://mmckeen.net/blog/2013/12/14/docker-all-the-things-nginx-and-supervisor/
* https://www.youtube.com/watch?v=Pe6a8Jbvi9E
* http://slopjong.de/2014/09/17/install-and-run-a-web-server-in-a-docker-container/
* http://blog.octo.com/en/docker-registry-first-steps/
* http://fr.slideshare.net/jpetazzo/docker-en-production-docker-paris
* https://goldmann.pl/blog/2014/09/11/resource-management-in-docker/
* https://chimeracoder.github.io/docker-without-docker/#17
* http://www.jamescoyle.net/how-to/1512-export-and-import-a-docker-image-between-nodes
* http://tuhrig.de/difference-between-save-and-export-in-docker/
Docker avec tous les services (ssh, cron, initlike)
* http://phusion.github.io/baseimage-docker/
Nginx reverse proxy pour Docker
* https://www.digitalocean.com/community/questions/how-to-bind-multiple-domains-ports-80-and-443-to-docker-contained-applications
** Pb de sécurité **
docker run -ti --privileged -v /:/host fedora chroot /host
Voir http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/
Voir aussi
Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
# docker -d
INFO[0000] Listening for HTTP on unix (/var/run/docker.sock)
INFO[0000] [graphdriver] using prior storage driver "devicemapper"
WARN[0000] Your kernel does not support cgroup memory limit: mountpoint for memory not found
WARN[0000] mountpoint for cpu not found
FATA[0000] Error mounting devices cgroup: mountpoint for devices not found
=== Proxy
export ALL_PROXY="http://192.168.56.1:3128/"
=== Construire un Docker avec un Dockerfile
cd MonDossierQuiContientUnDockerfile
docker build -t mondocker .
Exemple de commandes
docker pull debian
docker images
docker images -q
docker info
docker version
docker ps -a
docker ps -q -n 1
docker ps -f name=etherpad1
docker logs --tail 0 -f
docker run -ti -p 53:53 -p 53:53/udp --name bind debian /bin/bash
docker ps
docker exec -it a6cc3efa1aa1 /bin/bash
cat context.tar | docker build -
run builder_image | docker build -
docker run -v /:/my_host ubuntu:ro ls /my_host
docker port
docker inspect
Connaître le "CONTAINER ID"
#docker run -d
JOB1=$(docker run -d conteneur)
docker logs $JOB1
docker stop $JOB1
docker pull debian
docker run -i -t debian /bin/bash
docker rm $(docker ps -q -a)
-----
adduser jean docker
docker run -d -p 7777:8000 zerobin su -l www-data -c 'zerobin --settings-file=settings.py'
docker run -d -p 80:80 --name my_wiki mprasil/dokuwiki
Liens :
* https://hub.docker.com/r/istepanov/dokuwiki/
* http://linuxfr.org/news/docker-tutoriel-pour-manipuler-les-conteneurs
* http://www.it-connect.fr/debuter-avec-docker-et-les-containers-sous-debian-8/
* http://douche.name/presentation-docker/#58
* http://sametmax.com/le-deploiement-par-conteneurs-avec-docker/
== Suis-je dans un conteneur (container) ?
grep 'systemd:/system.slice/docker-' /proc/self/cgroup
== Notes gestion des process services grâce à supervisor
mkdir /var/log/supervisor
Liens :
* http://blogduyax.madyanne.fr/supervisor-gestion-de-processus.html
* https://www.digitalocean.com/community/tutorials/how-to-install-and-manage-supervisor-on-ubuntu-and-debian-vps
* https://serversforhackers.com/monitoring-processes-with-supervisord
* https://gist.github.com/didip/802561
* http://stackful-dev.com/simplify-unix-process-herding-with-supervisor.html
* http://www.onurguzel.com/supervisord-restarting-and-reloading/
* http://ryanmckern.com/2013/01/daemon-ize-your-processes-on-the-cheap-part-two-supervisor/
stdout_logfile=/var/log/supervisor/%(program_name)s.log
stderr_logfile=/var/log/supervisor/%(program_name)s.log
numprocs=4
== Notes supervision
Machine de dev, commit effectué dans des images non nommé (doit être zero)
docker images |sed -e '1d' | grep '^' |awk '{print $3}' | wc -l
Logs d'erreur
grep CRIT /var/lib/docker/containers/*/*.log
== Notes DNS Bind9
Sur l'hôte
docker run -ti -p 53:53 -p 53:53/udp --name bind debian /bin/bash
Dans le conteneur
apt-get install --no-install-recommends bind9 bind9-doc bind9-host dnsutils
apt-get install --no-install-recommends supervisor vim file netcat tmux traceroute mtr net-tools dnsutils bind9 bind9-doc bind9utils
apt-get install --no-install-recommends lsb-release wget ca-certificates
=== Pb
Limitation limite de mémoire ''-m 512m''
docker run -ti -m 512m --name madebian1 debian /bin/bash
Erreur
WARNING: Your kernel does not support memory limit capabilities. Limitation discarded.
''/etc/default/grub''
GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"
update-grub
=== Pb 2
http://stackoverflow.com/questions/31197724/shutting-down-docker-containers-via-supervisor
J'ai le même pb.
A l’arrêt de l'hôte les conteneurs ne sont pas correctement stop et supprimés par supervisord.
Je dois faire manuellement après un reboot :
docker rm $(docker -a -q)
Pour faire les choses proprement c'est à supervisord de n'en occuper
=== Pb 3 Unable to enable SKIP DNAT rule
Sur RedHat
Source : https://github.com/wodby/docker4drupal/issues/211
Internal Server Error ("Failed to Setup IP tables: Unable to enable SKIP DNAT rule: (iptables failed: iptables --wait -t nat -I DOCKER -i br-38e86077394a -j RETURN: iptables: No chain/target/match by that name.\n (exit status 1))")"
Solution
sudo iptables -t filter -N DOCKER
sudo systemctl restart docker
Cela se produit quand Docker est installé quand le pare-feu (firewalld) est démarré, puis qu'il a été désactivé par la suite.
=== Autre
docker save -o plop.tar.gz acme/jibe
==== Notes console TTY
https://github.com/docker/docker/issues/2838
Starting with docker 0.6.5, you can add -t to the docker run command, which will attach a pseudo-TTY. Then you can type Control-C to detach from the container without terminating it.
If you use -t and -i then Control-C will terminate the container. When using -i with -t then you have to use Control-P Control-Q to detach without terminating.
==== Notes Haute dispo / Cluster
docker swarm
==== Notes catalogue images
CentOS7
docker pull centos:centos7
--------------------
= Notes Docker
#docker save acme/plop1 -o acme-plop1.tar
docker save acme/plop1 |pigz > acme-plop1.tar.gz
Une sorte de **top**
docker stats
docker history IMAGES --no-trunc
docker top CONTAINER -o pid,user,%mem,rss,vsize,cmd --sort rss
docker top CONTAINER
cat > Dockerfile <
docker build -t $USER/dataexample .
docker run -it -d --name data $USER/dataexample
docker run --rm -it --volumes-from data alpine sh
touch /opt/data/foo
exit
$ docker run --rm -it --volumes-from data alpine sh
ls /opt/data
foo
Plop
docker run -it --volume /opt/data --name data2 busybox
docker inspect --format "{{ .Mounts }}" data2
docker inspect -f '{{ .Mounts }}' my-container
docker volume create --name dataa
docker run --rm -it -v dataa:/data alpine
docker volume ls
docker volume rm $(docker volume ls | awk '{print $2}' |sed '1d')
Arrêter tous les containers
docker stop $(docker ps |awk '{print $1}' |sed '1d')
Effacer tous les containers
docker rm $(docker ps -a |awk '{print $1}' |sed '1d')
Autres
docker system df
docker system prune
docker ps --all -q -f status=dead
alias docker_clean_images='docker rmi $(docker images -a --filter=dangling=true -q)'
alias docker_clean_ps='docker rm $(docker ps --filter=status=exited --filter=status=created -q)'
== Cli / API
$ docker-machine.exe env master
export DOCKER_TLS_VERIFY="1"
export DOCKER_HOST="tcp://192.168.99.103:2376"
export DOCKER_CERT_PATH="C:\Users\FORMATION\.docker\machine\machines\master"
export DOCKER_MACHINE_NAME="master"
export COMPOSE_CONVERT_WINDOWS_PATHS="true"