(→container_namespaces: new section) |
|||
Line 1: | Line 1: | ||
== container_namespaces == | == container_namespaces == | ||
=== Demonstrating escaping namespacing === | |||
==== Inputs ==== | |||
I created a small Go program that prints out /etc/redhat-release called show_distro. The source code for it can be viewed [https://gist.github.com/baude/0d89a890c05c8ca5ec1098912331663d#file-gistfile1-txt here]. | |||
The Dockerfile for this demo is extremely simple. You can view the Dockerfile [https://gist.github.com/baude/efb757cb4e40cbf21099e891c8d34d11 here]. | |||
==== Demo ==== | |||
We will use container running CentOS on a Fedora 25 distribution to show how you can run an executable in the container namespace and the hostname (from the container). | |||
Run the container to enter into it. Note the bind mount of a shared directory and the bind mount of /proc. | |||
<pre>[bbaude@bbaude go-container]$ docker run -it --rm --privileged --pid=host --net=host -v /proc:/host/proc -v /shared:/shared my_image /bin/bash</pre> | |||
We need to copy the Go executable to somewhere that both the host and container can run it. | |||
<pre>[root@bbaude /]# cp /show_distro /shared</pre> | |||
Let's run the executable in the container namespace. Remember the container is running CentOS. | |||
<pre>[root@bbaude /]# /shared/show_distro | |||
CentOS Linux release 7.3.1611 (Core) | |||
</pre> | |||
Now we run the executable from the container but in the host's namespace using nsenter. Even though you are executing the command "in the container", the the host's namespace must be able to resolve the executable to work. Remember the host is running Fedora 25. | |||
<pre>[root@bbaude /]# nsenter --mount=/host/proc/1/ns/mnt -- /shared/show_distro | |||
Fedora release 25 (Twenty Five) | |||
</pre> |
Latest revision as of 17:32, 24 March 2017
container_namespaces
Demonstrating escaping namespacing
Inputs
I created a small Go program that prints out /etc/redhat-release called show_distro. The source code for it can be viewed here.
The Dockerfile for this demo is extremely simple. You can view the Dockerfile here.
Demo
We will use container running CentOS on a Fedora 25 distribution to show how you can run an executable in the container namespace and the hostname (from the container).
Run the container to enter into it. Note the bind mount of a shared directory and the bind mount of /proc.
[bbaude@bbaude go-container]$ docker run -it --rm --privileged --pid=host --net=host -v /proc:/host/proc -v /shared:/shared my_image /bin/bash
We need to copy the Go executable to somewhere that both the host and container can run it.
[root@bbaude /]# cp /show_distro /shared
Let's run the executable in the container namespace. Remember the container is running CentOS.
[root@bbaude /]# /shared/show_distro CentOS Linux release 7.3.1611 (Core)
Now we run the executable from the container but in the host's namespace using nsenter. Even though you are executing the command "in the container", the the host's namespace must be able to resolve the executable to work. Remember the host is running Fedora 25.
[root@bbaude /]# nsenter --mount=/host/proc/1/ns/mnt -- /shared/show_distro Fedora release 25 (Twenty Five)