1CH-DOCKER2TAR(1)                 Charliecloud                 CH-DOCKER2TAR(1)
2
3
4

NAME

6       ch-docker2tar  -  Flatten a Docker image into a Charliecloud image tar‐
7       ball
8

SYNOPSIS

10          $ ch-docker2tar IMAGE OUTDIR
11

DESCRIPTION

13       Flattens the Docker image tagged IMAGE into a Charliecloud  tarball  in
14       directory OUTDIR.
15
16       The  Docker  environment  (e.g., ENV statements) is placed in a file in
17       the tarball at ./environment, in a form suitable for ch-run --set-env.
18
19       Sudo privileges are required to run docker export.
20
21       Additional arguments:
22
23          --help print help and exit
24
25          --version
26                 print version and exit
27

EXAMPLE

29          $ ch-docker2tar hello /var/tmp
30          57M /var/tmp/hello.tar.gz
31          $ ls -lh /var/tmp
32          -rw-r-----  1 reidpr reidpr  57M Feb 13 16:14 hello.tar.gz
33

REPORTING BUGS

35       If Charliecloud was obtained from your  Linux  distribution,  use  your
36       distribution’s bug reporting procedures.
37
38       Otherwise, report bugs to: <https://github.com/hpc/charliecloud/issues>
39

SEE ALSO

41       charliecloud(1)
42
43       Full documentation at: <https://hpc.github.io/charliecloud>
44

DOCKER TIPS

46       Docker  is  a  convenient  way  to  build  Charliecloud  images.  While
47       installing Docker is beyond the scope of this documentation, here are a
48       few tips.
49
50   Understand the security implications of Docker
51       Because  Docker  (a)  makes  installing  random  crap from the internet
52       really easy and (b) is easy to deploy insecurely, you should take care.
53       Some  of the implications are below. This list should not be considered
54       comprehensive nor a substitute for  appropriate  expertise;  adhere  to
55       your moral and institutional responsibilities.
56
57   docker equals root
58       Anyone  who can run the docker command or interact with the Docker dae‐
59       mon can trivially escalate to root.  This is considered a feature.
60
61       For this reason, don’t create the docker  group,  as  this  will  allow
62       passwordless, unlogged escalation for anyone in the group.
63
64   Images can contain bad stuff
65       Standard hygiene for “installing stuff from the internet” applies. Only
66       work with images you trust. The official Docker  Hub  repositories  can
67       help.
68
69   Containers run as root
70       By  default,  Docker  runs  container processes as root. In addition to
71       being poor hygiene, this  can  be  an  escalation  path,  e.g.  if  you
72       bind-mount host directories.
73
74   Docker alters your network configuration
75       To see what it did:
76
77          $ ifconfig    # note docker0 interface
78          $ brctl show  # note docker0 bridge
79          $ route -n
80
81   Docker installs services
82       If you don’t want the service starting automatically at boot, e.g.:
83
84          $ systemctl is-enabled docker
85          enabled
86          $ systemctl disable docker
87          $ systemctl is-enabled docker
88          disabled
89
90   Configuring for a proxy
91       By  default,  Docker does not work if you have a proxy, and it fails in
92       two different ways.
93
94       The first problem is that Docker itself must be told to  use  a  proxy.
95       This manifests as:
96
97          $ sudo docker run hello-world
98          Unable to find image 'hello-world:latest' locally
99          Pulling repository hello-world
100          Get https://index.docker.io/v1/repositories/library/hello-world/images: dial tcp 54.152.161.54:443: connection refused
101
102       If  you have a systemd system, the Docker documentation explains how to
103       configure  this.  If  you   don’t   have   a   systemd   system,   then
104       /etc/default/docker might be the place to go?
105
106       The  second  problem  is  that Docker containers need to know about the
107       proxy as well. This manifests as images failing to build  because  they
108       can’t download stuff from the internet.
109
110       The fix is to set the proxy variables in your environment, e.g.:
111
112          export HTTP_PROXY=http://proxy.example.com:8088
113          export http_proxy=$HTTP_PROXY
114          export HTTPS_PROXY=$HTTP_PROXY
115          export https_proxy=$HTTP_PROXY
116          export ALL_PROXY=$HTTP_PROXY
117          export all_proxy=$HTTP_PROXY
118          export NO_PROXY='localhost,127.0.0.1,.example.com'
119          export no_proxy=$NO_PROXY
120
121       You  also  need  to  teach  sudo  to  retain them. Add the following to
122       /etc/sudoers:
123
124          Defaults env_keep+="HTTP_PROXY http_proxy HTTPS_PROXY https_proxy ALL_PROXY all_proxy NO_PROXY no_proxy"
125
126       Because different programs use different subsets  of  these  variables,
127       and  to  avoid a situation where some things work and others don’t, the
128       Charliecloud test suite (see below) includes a test that fails if  some
129       but not all of the above variables are set.
130

AUTHOR

132       Reid Priedhorsky, Tim Randles, and others
133

COPYRIGHT

135       2014–2018, Los Alamos National Security, LLC
136
137
138
139
140                  2019-08-22 00:00 Coordinated Universal Time CH-DOCKER2TAR(1)