1CH-DOCKER2SQUASH(1)              Charliecloud              CH-DOCKER2SQUASH(1)
2
3
4

NAME

6       ch-docker2squash  - Flatten a Docker image into a Charliecloud SquashFS
7       file
8

SYNOPSIS

10          $ ch-docker2squash IMAGE OUTDIR [ARGS ...]
11

DESCRIPTION

13       Flattens the Docker image tagged IMAGE into a SquashFS file in OUTDIR.
14
15       Wrapper for ch-docker2tar --nocompress and  ch-tar2sqfs.   Intermediate
16       files and directories are removed.
17
18       Sudo privileges are required to run docker export.
19
20       Optional ARGS passed to mksquashfs unchanged.
21
22       Additional arguments:
23
24          --help print help and exit
25
26          --version
27                 print version and exit
28

EXAMPLE

30          $ docker image list | fgrep debian
31          REPOSITORY   TAG       IMAGE ID       CREATED      SIZE
32          debian       stretch   2d337f242f07   3 weeks ago  101MB
33          $ ch-docker2squash debian /var/tmp
34          Parallel mksquashfs: Using 6 processors
35          Creating 4.0 filesystem on /var/tmp/debian.sqfs, block size 131072.
36          [...]
37          squashed /var/tmp/debian.sqfs OK
38          $ ls -lh /var/tmp/debian*
39          -rw-r--r-- 1 charlie charlie 41M Apr 23 14:37 debian.sqfs
40

REPORTING BUGS

42       If  Charliecloud  was  obtained  from your Linux distribution, use your
43       distribution’s bug reporting procedures.
44
45       Otherwise, report bugs to: <https://github.com/hpc/charliecloud/issues>
46

SEE ALSO

48       charliecloud(1)
49
50       Full documentation at: <https://hpc.github.io/charliecloud>
51

DOCKER TIPS

53       Docker  is  a  convenient  way  to  build  Charliecloud  images.  While
54       installing Docker is beyond the scope of this documentation, here are a
55       few tips.
56
57   Understand the security implications of Docker
58       Because Docker (a) makes  installing  random  crap  from  the  internet
59       really easy and (b) is easy to deploy insecurely, you should take care.
60       Some of the implications are below. This list should not be  considered
61       comprehensive  nor  a  substitute  for appropriate expertise; adhere to
62       your moral and institutional responsibilities.
63
64   docker equals root
65       Anyone who can run the docker command or interact with the Docker  dae‐
66       mon can trivially escalate to root.  This is considered a feature.
67
68       For  this  reason,  don’t  create  the docker group, as this will allow
69       passwordless, unlogged escalation for anyone in the group.
70
71   Images can contain bad stuff
72       Standard hygiene for “installing stuff from the internet” applies. Only
73       work  with  images  you trust. The official Docker Hub repositories can
74       help.
75
76   Containers run as root
77       By default, Docker runs container processes as  root.  In  addition  to
78       being  poor  hygiene,  this  can  be  an  escalation  path, e.g. if you
79       bind-mount host directories.
80
81   Docker alters your network configuration
82       To see what it did:
83
84          $ ifconfig    # note docker0 interface
85          $ brctl show  # note docker0 bridge
86          $ route -n
87
88   Docker installs services
89       If you don’t want the service starting automatically at boot, e.g.:
90
91          $ systemctl is-enabled docker
92          enabled
93          $ systemctl disable docker
94          $ systemctl is-enabled docker
95          disabled
96
97   Configuring for a proxy
98       By default, Docker does not work if you have a proxy, and it  fails  in
99       two different ways.
100
101       The  first  problem  is that Docker itself must be told to use a proxy.
102       This manifests as:
103
104          $ sudo docker run hello-world
105          Unable to find image 'hello-world:latest' locally
106          Pulling repository hello-world
107          Get https://index.docker.io/v1/repositories/library/hello-world/images: dial tcp 54.152.161.54:443: connection refused
108
109       If you have a systemd system, the Docker documentation explains how  to
110       configure   this.   If   you   don’t   have   a  systemd  system,  then
111       /etc/default/docker might be the place to go?
112
113       The second problem is that Docker containers need  to  know  about  the
114       proxy  as  well. This manifests as images failing to build because they
115       can’t download stuff from the internet.
116
117       The fix is to set the proxy variables in your environment, e.g.:
118
119          export HTTP_PROXY=http://proxy.example.com:8088
120          export http_proxy=$HTTP_PROXY
121          export HTTPS_PROXY=$HTTP_PROXY
122          export https_proxy=$HTTP_PROXY
123          export ALL_PROXY=$HTTP_PROXY
124          export all_proxy=$HTTP_PROXY
125          export NO_PROXY='localhost,127.0.0.1,.example.com'
126          export no_proxy=$NO_PROXY
127
128       You also need to teach sudo  to  retain  them.  Add  the  following  to
129       /etc/sudoers:
130
131          Defaults env_keep+="HTTP_PROXY http_proxy HTTPS_PROXY https_proxy ALL_PROXY all_proxy NO_PROXY no_proxy"
132
133       Because  different  programs  use different subsets of these variables,
134       and to avoid a situation where some things work and others  don’t,  the
135       Charliecloud  test suite (see below) includes a test that fails if some
136       but not all of the above variables are set.
137

COPYRIGHT

139       2014–2018, Los Alamos National Security, LLC
140
141
142
143
144                  2020-01-28 00:00 Coordinated Universal TimCeH-DOCKER2SQUASH(1)