From Fedora Project Wiki

 
 
Line 1: Line 1:
== container_namespaces ==
== container_namespaces ==


test
=== Demonstrating escaping namespacing ===
 
==== Inputs ====
 
I created a small Go program that prints out /etc/redhat-release called show_distro.  The source code for it can be viewed [https://gist.github.com/baude/0d89a890c05c8ca5ec1098912331663d#file-gistfile1-txt here].
 
The Dockerfile for this demo is extremely simple.  You can view the Dockerfile [https://gist.github.com/baude/efb757cb4e40cbf21099e891c8d34d11 here].
 
==== Demo ====
 
We will use container running CentOS on a Fedora 25 distribution to show how you can run an executable in the container namespace and the hostname (from the container).
 
Run the container to enter into it.  Note the bind mount of a shared directory and the bind mount of /proc.
 
<pre>[bbaude@bbaude go-container]$ docker run -it --rm --privileged --pid=host --net=host -v /proc:/host/proc -v /shared:/shared my_image /bin/bash</pre>
 
We need to copy the Go executable to somewhere that both the host and container can run it. 
 
<pre>[root@bbaude /]# cp /show_distro /shared</pre>
 
Let's run the executable in the container namespace.  Remember the container is running CentOS.
 
<pre>[root@bbaude /]# /shared/show_distro
CentOS Linux release 7.3.1611 (Core)
</pre>
 
Now we run the executable from the container but in the host's namespace using nsenter.  Even though you are executing the command "in the container", the the host's namespace must be able to resolve the executable to work. Remember the host is running Fedora 25.
 
<pre>[root@bbaude /]# nsenter --mount=/host/proc/1/ns/mnt -- /shared/show_distro
Fedora release 25 (Twenty Five)
</pre>

Latest revision as of 17:32, 24 March 2017

container_namespaces

Demonstrating escaping namespacing

Inputs

I created a small Go program that prints out /etc/redhat-release called show_distro. The source code for it can be viewed here.

The Dockerfile for this demo is extremely simple. You can view the Dockerfile here.

Demo

We will use container running CentOS on a Fedora 25 distribution to show how you can run an executable in the container namespace and the hostname (from the container).

Run the container to enter into it. Note the bind mount of a shared directory and the bind mount of /proc.

[bbaude@bbaude go-container]$ docker run -it --rm --privileged --pid=host --net=host -v /proc:/host/proc -v /shared:/shared my_image /bin/bash

We need to copy the Go executable to somewhere that both the host and container can run it.

[root@bbaude /]# cp /show_distro /shared

Let's run the executable in the container namespace. Remember the container is running CentOS.

[root@bbaude /]# /shared/show_distro 
CentOS Linux release 7.3.1611 (Core) 

Now we run the executable from the container but in the host's namespace using nsenter. Even though you are executing the command "in the container", the the host's namespace must be able to resolve the executable to work. Remember the host is running Fedora 25.

[root@bbaude /]# nsenter --mount=/host/proc/1/ns/mnt -- /shared/show_distro 
Fedora release 25 (Twenty Five)