Running arbitrary containers in LinuxKit

Debugging issues with LinuxKit images could be a serious challenge in some cases. Unfortunately, the documentation is not full enough to cover all the caveats, and in this article I'm going to show the general principle how to deal with arbitrary containers and run the commands in them.

You have three main tools to use:

  1. Logs (/var/log/<container>.err.log and /var/log/<container>.out.log) - please examine these files first to see what's happening;
  2. CLI (getty) is the main tool at your disposal;
  3. Mounts (binds) - the mount points to exchange the information between containers (getty writes the file, and your container reads it).

It's better to see something once than hear it, so please just look to the Yaml configuration below. For this example, I've added the curl image and used it from the shell:

run curl https://www.google.com

Please note that LinuxKit has wget available, so in most cases you won't need curl for your experiments.

How it works:

  • curl is not a service, but a usual program (however, to make it availble to the ctr command we put the image into services section). Because we need to exhange the information using a file, we don't run curl as is, but provide parameters to it from /hostroot/var/cmd.
  • run is an alias in getty: it deletes the container (otherwise it won't be able to start the container later), writes the required parameters into the file, and starts the container again.
  • On startup the curl reads the up-to-dated parameters from the file, and uses the required parameters for running (e.g., opens https://www.google.com).

\src: linuxkit-curl.yml

kernel: image: linuxkit/kernel:4.9.52 cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 vga=791" init: - linuxkit/init:7804129bd06218b72c298139a25698a748d253c6 - linuxkit/runc:a1b564248a0d0b118c11e61db9f84ecf41dd2d2a - linuxkit/containerd:417f83f7b8dc1fa36acf90effe44f99c7397480a onboot: - name: dhcpcd image: linuxkit/dhcpcd:d4408777ed6b6e6e562a5d4938fd09804324b33e command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] services: - name: getty image: linuxkit/getty:bf6872ce0a9f3ab519b3e502cc41ba3958bda2a6 env: - INSECURE=true binds: - /etc/resolv.conf:/etc/resolv.conf - /run:/run - /tmp:/tmp - /etc:/hostroot/etc - /usr/bin/ctr:/usr/bin/ctr - /usr/bin/runc:/usr/bin/runc - /containers:/containers - /var/log:/var/log - /dev:/dev - /sys:/sys - /etc/profile.d/run.sh:/etc/profile.d/run.sh - /var:/hostroot/var:rshared,rbind rootfsPropagation: shared - name: curl image: byrnedo/alpine-curl command: ["sh", "-c", "curl `cat /hostroot/var/cmd`"] binds: - /var:/hostroot/var - /etc/resolv.conf:/etc/resolv.conf files: - path: etc/profile.d/run.sh contents: | run() { ctr t delete $1 echo $2 > /hostroot/var/cmd ctr t start $1 } trust: org: - linuxkit
Scalateχ \src: LinuxKitCurl.scalatex

Comments

Popular posts from this blog

Python vs JS vs PHP for embedded systems

Thunderbird Grammar Checker add-on

Shellcode detection using libemu