1CH-BUILDER2TAR(1)                Charliecloud                CH-BUILDER2TAR(1)
2
3
4

NAME

6       ch-builder2tar - Flatten a builder image into a Charliecloud image tar‐
7       ball
8

SYNOPSIS

10          $ ch-builder2tar [-b BUILDER] [--nocompress] IMAGE OUTDIR
11

DESCRIPTION

13       Flatten the builder image tagged IMAGE into a Charliecloud  tarball  in
14       directory OUTDIR.
15
16       The builder-specified environment (e.g., ENV statements) is placed in a
17       file in the tarball at $IMAGE/ch/environment, in a  form  suitable  for
18       ch-run --set-env.
19
20       See ch-build(1) for details on specifying the builder.
21
22       Additional arguments:
23
24          -b, --builder BUILDER
25                 Use  specified  builder;  if  not  given,  use $CH_BUILDER or
26                 default.
27
28          --nocompress
29                 Do not compress tarball.
30
31          --help Print help and exit.
32
33          --version
34                 Print version and exit.
35

EXAMPLE

37          $ ch-builder2tar hello /var/tmp
38          57M /var/tmp/hello.tar.gz
39          $ ls -lh /var/tmp
40          -rw-r-----  1 reidpr reidpr  57M Feb 13 16:14 hello.tar.gz
41

REPORTING BUGS

43       If Charliecloud was obtained from your  Linux  distribution,  use  your
44       distribution’s bug reporting procedures.
45
46       Otherwise, report bugs to: <https://github.com/hpc/charliecloud/issues>
47

SEE ALSO

49       charliecloud(1)
50
51       Full documentation at: <https://hpc.github.io/charliecloud>
52

DOCKER TIPS

54       Docker  is  a  convenient  way  to  build  Charliecloud  images.  While
55       installing Docker is beyond the scope of this documentation, here are a
56       few tips.
57
58   Understand the security implications of Docker
59       Because  Docker  (a)  makes  installing  random  crap from the internet
60       really easy and (b) is easy to deploy insecurely, you should take care.
61       Some  of the implications are below. This list should not be considered
62       comprehensive nor a substitute for  appropriate  expertise;  adhere  to
63       your moral and institutional responsibilities.
64
65   docker equals root
66       Anyone  who can run the docker command or interact with the Docker dae‐
67       mon can trivially escalate to root.  This is considered a feature.
68
69       For this reason, don’t create the docker  group,  as  this  will  allow
70       passwordless, unlogged escalation for anyone in the group.
71
72   Images can contain bad stuff
73       Standard hygiene for “installing stuff from the internet” applies. Only
74       work with images you trust. The official Docker  Hub  repositories  can
75       help.
76
77   Containers run as root
78       By  default,  Docker  runs  container processes as root. In addition to
79       being poor hygiene, this  can  be  an  escalation  path,  e.g.  if  you
80       bind-mount host directories.
81
82   Docker alters your network configuration
83       To see what it did:
84
85          $ ifconfig    # note docker0 interface
86          $ brctl show  # note docker0 bridge
87          $ route -n
88
89   Docker installs services
90       If you don’t want the service starting automatically at boot, e.g.:
91
92          $ systemctl is-enabled docker
93          enabled
94          $ systemctl disable docker
95          $ systemctl is-enabled docker
96          disabled
97
98   Configuring for a proxy
99       By  default,  Docker does not work if you have a proxy, and it fails in
100       two different ways.
101
102       The first problem is that Docker itself must be told to  use  a  proxy.
103       This manifests as:
104
105          $ sudo docker run hello-world
106          Unable to find image 'hello-world:latest' locally
107          Pulling repository hello-world
108          Get https://index.docker.io/v1/repositories/library/hello-world/images: dial tcp 54.152.161.54:443: connection refused
109
110       If  you have a systemd system, the Docker documentation explains how to
111       configure  this.  If  you   don’t   have   a   systemd   system,   then
112       /etc/default/docker might be the place to go?
113
114       The  second  problem  is  that Docker containers need to know about the
115       proxy as well. This manifests as images failing to build  because  they
116       can’t download stuff from the internet.
117
118       The fix is to set the proxy variables in your environment, e.g.:
119
120          export HTTP_PROXY=http://proxy.example.com:8088
121          export http_proxy=$HTTP_PROXY
122          export HTTPS_PROXY=$HTTP_PROXY
123          export https_proxy=$HTTP_PROXY
124          export ALL_PROXY=$HTTP_PROXY
125          export all_proxy=$HTTP_PROXY
126          export NO_PROXY='localhost,127.0.0.1,.example.com'
127          export no_proxy=$NO_PROXY
128
129       You  also  need  to  teach  sudo  to  retain them. Add the following to
130       /etc/sudoers:
131
132          Defaults env_keep+="HTTP_PROXY http_proxy HTTPS_PROXY https_proxy ALL_PROXY all_proxy NO_PROXY no_proxy"
133
134       Because different programs use different subsets  of  these  variables,
135       and  to  avoid a situation where some things work and others don’t, the
136       Charliecloud test suite (see below) includes a test that fails if  some
137       but not all of the above variables are set.
138
140       2014–2018, Los Alamos National Security, LLC
141
142
143
144
145                  2020-01-28 00:00 Coordinated Universal TimeCH-BUILDER2TAR(1)
Impressum