Intelligente Lösungen
in neuer Dimension

Docker in LXD/LXC-Container

Bislang habe ich alle meine Services selbst als LXC-Container aufgesetzt. Allerdings scheint es zunehmend so zu sein, dass die Verwendung von Docker-Containern viel einfacher ist. Ein Großteil des Aufwandes wird dabei von den Erstellern der Dockerfiles übernommen und für mich ist’s damit dann simpler.

Problem: Ich “traue” den Erstellern nicht 100%ig. Dadurch, dass die Ersteller sowohl den Inhalt der Docker-Container als auch die Einbindung der Container in das Hostsystem vorgeben, kann ich nicht sicher sein, dass mir nicht irgendwas “untergejubelt” wird.

Eine Idee: Lass die Docker-Container in einem LXC-Container laufen! Dann kann maximal der LXC-Container geschrottet werden!

LXC-Container erstellen

1
2
3
4
5
6
7
8
9
10
11

root@cslpc55:~# lxc copy ubuntu-2204 docker
root@cslpc55:~# lxc config set docker security.nesting=true security.syscalls.intercept.mknod=true security.syscalls.intercept.setxattr=true
root@cslpc55:~# lxc start docker
root@cslpc55:~# lxc ls
+-------------+---------+---------------------+------+-----------+-----------+
|    NAME     |  STATE  |        IPV4         | IPV6 |   TYPE    | SNAPSHOTS |
+-------------+---------+---------------------+------+-----------+-----------+
| docker      | RUNNING | 10.38.231.57 (eth0) |      | CONTAINER | 0         |
+-------------+---------+---------------------+------+-----------+-----------+
| ubuntu-2204 | STOPPED |                     |      | CONTAINER | 0         |
+-------------+---------+---------------------+------+-----------+-----------+

Docker installieren

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

root@cslpc55:~# ssh root@docker.lxd
root@docker:~# sudo apt install docker.io
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  bridge-utils containerd dns-root-data dnsmasq-base pigz runc ubuntu-fan
Suggested packages:
  ifupdown aufs-tools cgroupfs-mount | cgroup-lite debootstrap docker-doc rinse zfs-fuse | zfsutils
The following NEW packages will be installed:
  bridge-utils containerd dns-root-data dnsmasq-base docker.io pigz runc ubuntu-fan
0 upgraded, 8 newly installed, 0 to remove and 0 not upgraded.
Need to get 66.8 MB of archives.
After this operation, 287 MB of additional disk space will be used.
Do you want to continue? [Y/n] 
Get:1 http://archive.ubuntu.com/ubuntu jammy/universe amd64 pigz amd64 2.6-1 [63.6 kB]
Get:2 http://archive.ubuntu.com/ubuntu jammy/main amd64 bridge-utils amd64 1.7-1ubuntu3 [34.4 kB]
...
Adding group `docker' (GID 121) ...
Done.
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /lib/systemd/system/docker.service.
Created symlink /etc/systemd/system/sockets.target.wants/docker.socket → /lib/systemd/system/docker.socket.
Processing triggers for dbus (1.12.20-2ubuntu4.1) ...
Processing triggers for man-db (2.10.2-1) ...
...

Kurztest

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

root@docker:~# docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
2db29710123e: Pull complete 
Digest: sha256:c77be1d3a47d0caf71a82dd893ee61ce01f32fc758031a6ec4cf1389248bb833
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

OhMyForm

Vorbereitungen:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

root@docker:~# docker pull ohmyform/ohmyform
Using default tag: latest
latest: Pulling from ohmyform/ohmyform
530afca65e2e: Pull complete
...
4b67067734fc: Pull complete 
43d3c0e03aac: Pull complete 
8609309ee9d2: Pull complete 
Digest: sha256:fb8d876a7614571d5ce6996de982f0ea5c9f1176273e2b25c1092de411a34039
Status: Downloaded newer image for ohmyform/ohmyform:latest
docker.io/ohmyform/ohmyform:latest

root@docker:~# docker run --publish 0.0.0.0:4000:4000/tcp ohmyform/ohmyform
2022-12-25 05:29:12,562 CRIT Supervisor is running as root.  Privileges were not dropped because no user is specified in the config file.  If you intend to run as root, you can set user=root in the config file to avoid this message.
2022-12-25 05:29:12,565 INFO supervisord started with pid 1
2022-12-25 05:29:13,568 INFO spawned: 'api' with pid 8
...
$ /usr/src/ui/node_modules/.bin/next start -p 4000
$ cross-env NODE_ENV=production node dist/main
ready - started server on 0.0.0.0:4000, url: http://localhost:4000
2022-12-25 05:29:14,957 INFO success: api entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
...

Nun Test mit Browser: http://docker.lxd:4000 –> klappt!

Links

Änderungen

  • 2022-12-25: Erste Version