Super Privileged

Daniel J Walsh

Consulting Engineer

Twitter: @rhatdan



Problem Statement

On Atomic Host we don't support yum install

Make sure Atomic Host is minimal in size

How do I admin a machine without traceroute? strace?, gdb? ...

Customers want to install their favorite tool on Atomic Host

Atomic Host rule, prove your application can't run in container

Problem Statement

I want to ship an application that will manage the host

I want to ship an application that will manage containers

Super Privileged Containers "SPC"

Really just a concept

A way to run certain types of containers

SPC will manipulate content on the host

SPC can be used to manipulate other containers

Turn off the security

Wait, did Dan Walsh just say?

Turn the Security off????

.@rhatdan Says turn the Security off? @devconf_cz

Privileged Containers

Turn off the security

docker run --privileged

This will:

  • Enable all Linux Capabilities
  • Disable SELinux separation
  • Disable SECCOMP and User Namespace Separation
  • Disable Mounting of file systems readonly
  • Allow the creation of all linux devices

  • Super Privileged Containers

    Turn off namespace separation

    docker run --net=host (Use the hosts network devices)

    docker run --ipc=host (Share the hosts IPC namespace)

    docker run --pid=host (See all of the processes on the host)

    docker run --dev=host (Share /dev with the hosts: Proposed)

    Super Privileged Containers

    Mount hosts file systems into the container

    docker run -v /run:/run

    Allows a container process to communicate with dbus, systemd or even docker daemon

    docker run -v /:/host -e HOST=/host

    Share the entire hosts file system into the container


    Boy that is a awfully long command line

    /usr/bin/docker run -t -i --rm --privileged -v /:/host -v /run:/run -v /etc/localtime:/etc/localtime --net=host --ipc=host --pid=host -e HOST=/host -e NAME=fedora-spc -e IMAGE=fedora fedora /bin/sh

    rheltools image

    strace, gdb, sosreport,...

    fedoratools image: soon

    centostools image: soon

    Introducing 'atomic' command

    Allows you to run containers in SPC mode

    atomic run --spc rheltools /bin/sh

    /usr/bin/docker run -t -i --rm --privileged -v /:/host -v /run:/run -v /etc/localtime:/etc/localtime --net=host --ipc=host --pid=host -e HOST=/host -e NAME=rheltools-spc -e IMAGE=rheltools rheltools /bin/sh

    Introducing 'atomic' command

    Wraps rpm-ostree command if run on a atomic host

    atomic host upgrade

    atomic host rollback

    atomic host status

    Problem Statement

    My application is nicely rolled into a container images.
    How do I tell the user to run it?

    My applicaton run mostly confined but needs additional privileges?

    ntpd container needs to run with --cap_add SYS_TIME

    Introducing container
    image LABELS

    LABELS patch: developers can add content to image json data

    LABEL RUN docker run -d -n ntpd --cap_add SYS_TIME IMAGE

    atomic run ntpd

    Lets look at container images differently

    Container images is a new way to ship applications

    Look at images as a software deliverer mechanism

    I package up my jboss application into a Docker Image move it to a repository and then what

    How does the customer install it?

    How does it get configured to run on the host system?

    Where do I ship the config or install script?

    Embed installation procedure
    within the container image

    LABELS INSTALL docker run --privileged --rm -ti -v /:/host -e HOST=/host -v /run:/run IMAGE /bin/

    LABELS UNINSTALL docker run --privileged --rm -ti -v /:/host -e HOST=/host -v /run:/run IMAGE /bin/

    Meta Container Images