-
How to build a multi architecture container using rootless nerdctl
3 min read
One of the great things about using nerdctl is that it does not try to include everything you might need. This means that if you try to build a container using nerdctl you'll realize you still need to install the buildkit (unless you have installed the "nerdctl-full" version)
Moreover it's something you don't actually need to have installed locally:
$ nerdctl build --help | grep buildkit Build an image from a Dockerfile. Needs buildkitd to be running. --buildkit-host string BuildKit address [$BUILDKIT_HOST] (default "unix:///run/user/1000/buildkit/buildkitd.sock")09/02/2022
Read more... -
Running rootless containers with nerdctl
6 min read
It's no secret that docker comes stuffed with many options that many of us don't need. This is why on servers we can find containerd instead of a fully featured docker. Despite that, the real deal breaker is that whatever we are running, we are going to do it with root privileges. We can check this by running the following container:
$ docker run -v /etc:/itc -it --rm alpine sleep 24And then looking for the process on the host
$ ps auxf root 1307 0.0 0.1 2084820 46676 ? Ssl 11:36 0:04 /usr/bin/containerd root 66978 0.0 0.0 709860 6120 ? Sl 05:12 0:00 \_ containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/50cf9789d0e68949d1cf79462956bde98b46a4616e8 b81977d8c89d2af9c34e7 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc root 66996 2.0 0.0 1588 4 pts/0 Ss+ 05:12 0:00 \_ sleep 24Is it possible to run rootless containers? Is there an alternative to docker?
08/02/2022
Read more... -
Is it possible to escape from a container on Kubernetes?
3 min read
You might find some documents explaining containers (this applies to docker and Kubernetes as well) as chroot jails on steroids. One might end up thinking it might be as easy to escape from a root container as it is from a root chroot. But that's not true because it's just an analogy.
28/01/2022
Read more... -
Using multi-stage build to optimize Docker images
2 min read
To be able to build a Docker image we might need some packages that we won't be using at runtime, an example of this would be the compiler or any of the tools we might be using to build it (make, ant, maven...)
Instead of installing the tools to remove them later on while building the Docker image we can use a multistage build so we can just copy the artifacts we need to the final image.
17/01/2022
Read more... -
docker: Finding an alternative to the ps command using the /proc filesystem
2 min read
On some container we might find the nasty surprise that the ps command is no available:
$ ps sh: 1: ps: not foundIf we need to check the processes (and it's arguments) we'll need to resort to the /proc filesystem
16/12/2021
Read more...