dockerlaunch

package
v0.4.2-rc1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 2, 2015 License: Apache-2.0, Apache-2.0 Imports: 14 Imported by: 0

README

Docker FROM scratch

Docker-in-Docker image based off of the empty image scratch. Only the bare minimum required files are included to make Docker run. This image weighs in around 25MB expanded.

Running

Overlay
# Daemon
docker run --name daemon --privileged -d rancher/docker

# Client
docker exec -it daemon docker ps
Aufs
# Daemon
docker run --name daemon --privileged -d rancher/docker daemon -s aufs

# Client
docker exec -it daemon docker ps

Embed in Custom Image

Since docker-from-scratch doesn't assume a base Linux distro it can be easily copied into an other image to add Docker-in-Docker capabilities

docker export $(docker create rancher/docker) > files.tar

cat > Dockerfile << EOF

FROM ubuntu
ADD files.tar /
ENTRYPOINT ["/usr/bin/dockerlaunch", "/usr/bin/docker"]
VOLUME /var/lib/docker
CMD ["daemon", "-s", "overlay"]

EOF

docker build -t custom-dind .

Graph Driver Compatibility

This image is really designed to run with overlay. Aufs is known to work but other graph drivers may not work properly or be missing userspace programs needed.

Seriously, Why?

This code and the supporting files were extracted out of RancherOS into a separate library and are still used by RancherOS. RancherOS runs Docker as a PID 1 but before we can exec Docker we need to setup a minimal environment for Docker in which to run. Since RancherOS is executed by the kernel there is absolutely nothing setup in the system. At Rancher we wrote a small amount of code to setup all the required mounts and directories to launch Docker.

We moved this code out into a separate project for two reasons. First was simply that we wanted to clean up and modularize the RancherOS code base. Second is that we wanted to demonstrate clearly what exactly Docker requires from the Linux user space. For the most part Docker requires the standard mounts (/proc, /sys, /run, /var/run, etc) and the cgroup mounts in /sys/fs/cgroup plus the following programs/files:

/etc/ssl/certs/ca-certificates.crt
/usr/bin/modprobe
/usr/bin/iptables
/usr/bin/ssh
/usr/bin/xz
/usr/bin/git
/usr/bin/ps
/usr/libexec/git-core/git-clone
/usr/libexec/git-core/git-submodule
/usr/libexec/git-core/git-checkout

This list can be reduced to a bare minimum if you ignore certain features of Docker. A full description of why each program is needed is below.

File Description Can it be ignored
/etc/ssl/certs/ca-certificates.crt Used as the CA roots to validate SSL connections No
/usr/bin/modprobe Used to ensure that bridge, nf_nat, br_netfilter, aufs, or overlay modules are loaded. Additionally iptables loads kernel modules based on the configuration of the rules Yes, just load the modules from the host that you will need.
/usr/bin/iptables Docker uses IPtables to setup networking Yes, add --iptables=false to the docker -d command. Networking will have to be manually configured in this situation
/usr/bin/ssh Used by git to clone repos over SSH Yes, don't use git based Docker builds
/usr/bin/xz Used to extract legacy Docker images that were compressed with xz Yes, only use newer images. Most popular images are not based on xz
/usr/bin/git Used to do Docker builds from a git URL Yes, don't use git based Docker builds
/usr/bin/ps docker ps uses the host ps to get information about the running process in a container No
/usr/libexec/git-core/git-clone Used by git Yes, don't use git based Docker builds
/usr/libexec/git-core/git-submodule Used by git Yes, don't use git based Docker builds
/usr/libexec/git-core/git-checkout Used by git Yes, don't use git based Docker builds

Custom Bridge Name

If you want to run with a custom bridge name you must pass both --bip and -b as arguments. Normally this would be an error for Docker but in this situation the docker-from-scratch container will create the bridge device with the IP address specified and then old pass -b to Docker.

Troubleshooting

Weird module loading errors

For various reasons Docker or iptables may try to load a kernel module. You can either manually load all the needed modules from the host or you can bind mount in the kernel modules by adding -v /lib/modules/$(uname -r)/lib/modules/$(uname -r) to your docker run command

Debug Logging

To enable debug logging on the startup of docker-from-scrach just add -e DOCKER_LAUNCH_DEBUG=true to the docker run command. For example:

docker run --name daemon --privileged -d -e DOCKER_LAUNCH_DEBUG=true rancher/docker

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CopyFile

func CopyFile(src, folder, name string) error
func CreateSymlink(src, dest string) error
func CreateSymlinks(pathSets [][]string) error

func LaunchDocker

func LaunchDocker(config *Config, docker string, args ...string) (*exec.Cmd, error)

func Main

func Main()

func ParseConfig

func ParseConfig(config *Config, args ...string) []string

func PrepareFs

func PrepareFs(config *Config) error

Types

type Config

type Config struct {
	Fork            bool
	CommandName     string
	DnsConfig       netconf.DnsConfig
	BridgeName      string
	BridgeAddress   string
	BridgeMtu       int
	CgroupHierarchy map[string]string
	LogFile         string
	NoLog           bool
	EmulateSystemd  bool
	NoFiles         uint64
	Environment     []string
}

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL