1CH-PULL2DIR(1) Charliecloud CH-PULL2DIR(1)
2
6 ch-pull2dir - Pull image from Docker Hub, flatten and unpack it
7
9 $ ch-pull2dir IMAGE[:TAG] DIR
10
12 Pull Docker image named IMAGE[:TAG] from Docker Hub and extract it into
13 a subdirectory of DIR. A temporary tarball is stored in DIR.
14 Sudo privileges are required to run the docker pull command.
16 This runs the following command sequence: ch-pull2tar, ch-tar2dir. See
18 warning in the documentation for ch-tar2dir.
19 Additional arguments:
21 --help print help and exit
23 --version
25 print version and exit
26
28 $ ch-pull2dir alpine /var/tmp
29 Using default tag: latest
30 latest: Pulling from library/alpine
31 Digest: sha256:621c2f39f8133acb8e64023a94dbdf0d5ca81896102b9e57c0dc184cadaf5528
32 Status: Image is up to date for alpine:latest
33 -rw-r--r--. 1 charlie charlie 2.1M Oct 5 19:52 /var/tmp/alpine.tar.gz
34 creating new image /var/tmp/alpine
35 /var/tmp/alpine unpacked ok
36 removed '/var/tmp/alpine.tar.gz'
37 Same as above, except optional TAG is specified:
39 $ ch-pull2dir alpine:3.6 /var/tmp
41 3.6: Pulling from library/alpine
42 Digest: sha256:cc24af836d1377e092ecb4e8f0a4324c3b1aa2b5295c2239edcc7bbc86a9cbc6
43 Status: Image is up to date for alpine:3.6
44 -rw-r--r--. 1 charlie charlie 2.1M Oct 5 19:54 /var/tmp/alpine:3.6.tar.gz
45 creating new image /var/tmp/alpine:3.6
46 /var/tmp/alpine:3.6 unpacked ok
47 removed '/var/tmp/alpine:3.6.tar.gz'
48
50 If Charliecloud was obtained from your Linux distribution, use your
51 distribution’s bug reporting procedures.
52 Otherwise, report bugs to: <https://github.com/hpc/charliecloud/issues>
54
56 charliecloud(1)
57 Full documentation at: <https://hpc.github.io/charliecloud>
59
61 Docker is a convenient way to build Charliecloud images. While
62 installing Docker is beyond the scope of this documentation, here are a
63 few tips.
64 Understand the security implications of Docker
66 Because Docker (a) makes installing random crap from the internet
67 really easy and (b) is easy to deploy insecurely, you should take care.
68 Some of the implications are below. This list should not be considered
69 comprehensive nor a substitute for appropriate expertise; adhere to
70 your moral and institutional responsibilities.
71 docker equals root
73 Anyone who can run the docker command or interact with the Docker dae‐
74 mon can trivially escalate to root. This is considered a feature.
75 For this reason, don’t create the docker group, as this will allow
77 passwordless, unlogged escalation for anyone in the group.
78 Images can contain bad stuff
80 Standard hygiene for “installing stuff from the internet” applies. Only
81 work with images you trust. The official Docker Hub repositories can
82 help.
83 Containers run as root
85 By default, Docker runs container processes as root. In addition to
86 being poor hygiene, this can be an escalation path, e.g. if you
87 bind-mount host directories.
88 Docker alters your network configuration
90 To see what it did:
91 $ ifconfig # note docker0 interface
93 $ brctl show # note docker0 bridge
94 $ route -n
95 Docker installs services
97 If you don’t want the service starting automatically at boot, e.g.:
98 $ systemctl is-enabled docker
100 enabled
101 $ systemctl disable docker
102 $ systemctl is-enabled docker
103 disabled
104 Configuring for a proxy
106 By default, Docker does not work if you have a proxy, and it fails in
107 two different ways.
108 The first problem is that Docker itself must be told to use a proxy.
110 This manifests as:
111 $ sudo docker run hello-world
113 Unable to find image 'hello-world:latest' locally
114 Pulling repository hello-world
115 Get https://index.docker.io/v1/repositories/library/hello-world/images: dial tcp 54.152.161.54:443: connection refused
116 If you have a systemd system, the Docker documentation explains how to
118 configure this. If you don’t have a systemd system, then
119 /etc/default/docker might be the place to go?
120 The second problem is that Docker containers need to know about the
122 proxy as well. This manifests as images failing to build because they
123 can’t download stuff from the internet.
124 The fix is to set the proxy variables in your environment, e.g.:
126 export HTTP_PROXY=http://proxy.example.com:8088
128 export http_proxy=$HTTP_PROXY
129 export HTTPS_PROXY=$HTTP_PROXY
130 export https_proxy=$HTTP_PROXY
131 export ALL_PROXY=$HTTP_PROXY
132 export all_proxy=$HTTP_PROXY
133 export NO_PROXY='localhost,127.0.0.1,.example.com'
134 export no_proxy=$NO_PROXY
135 You also need to teach sudo to retain them. Add the following to
137 /etc/sudoers:
138 Defaults env_keep+="HTTP_PROXY http_proxy HTTPS_PROXY https_proxy ALL_PROXY all_proxy NO_PROXY no_proxy"
140 Because different programs use different subsets of these variables,
142 and to avoid a situation where some things work and others don’t, the
143 Charliecloud test suite (see below) includes a test that fails if some
144 but not all of the above variables are set.
145
147 Reid Priedhorsky, Tim Randles, and others
148
150 2014–2018, Los Alamos National Security, LLC
151 2019-08-22 00:00 Coordinated Universal Time CH-PULL2DIR(1)