1CH-PULL2TAR(1)                   Charliecloud                   CH-PULL2TAR(1)
2
3
4

NAME

6       ch-pull2tar - Pull image from a Docker Hub and flatten into tarball
7

SYNOPSIS

9          $ ch-pull2tar IMAGE[:TAG] OUTDIR
10

DESCRIPTION

12       Pull  a  Docker  image named IMAGE[:TAG] from Docker Hub and flatten it
13       into a Charliecloud tarball in directory OUTDIR.
14
15       This runs the following command sequence: docker  pull,  ch-builder2tar
16       but provides less flexibility than the individual commands.
17
18       Sudo privileges are required for docker pull.
19
20       Additional arguments:
21
22          --help print help and exit
23
24          --version
25                 print version and exit
26

EXAMPLES

28          $ ch-pull2tar alpine /var/tmp
29          Using default tag: latest
30          latest: Pulling from library/alpine
31          Digest: sha256:621c2f39f8133acb8e64023a94dbdf0d5ca81896102b9e57c0dc184cadaf5528
32          Status: Image is up to date for alpine:latest
33          -rw-r--r--. 1 charlie charlie 2.1M Oct  5 19:52 /var/tmp/alpine.tar.gz
34
35       Same as above, except optional TAG is specified:
36
37          $ ch-pull2tar alpine:3.6
38          3.6: Pulling from library/alpine
39          Digest: sha256:cc24af836d1377e092ecb4e8f0a4324c3b1aa2b5295c2239edcc7bbc86a9cbc6
40          Status: Image is up to date for alpine:3.6
41          -rw-r--r--. 1 charlie charlie 2.1M Oct  5 19:54 /var/tmp/alpine:3.6.tar.gz
42

REPORTING BUGS

44       If  Charliecloud  was  obtained  from your Linux distribution, use your
45       distribution’s bug reporting procedures.
46
47       Otherwise, report bugs to: <https://github.com/hpc/charliecloud/issues>
48

SEE ALSO

50       charliecloud(1)
51
52       Full documentation at: <https://hpc.github.io/charliecloud>
53

DOCKER TIPS

55       Docker  is  a  convenient  way  to  build  Charliecloud  images.  While
56       installing Docker is beyond the scope of this documentation, here are a
57       few tips.
58
59   Understand the security implications of Docker
60       Because Docker (a) makes  installing  random  crap  from  the  internet
61       really easy and (b) is easy to deploy insecurely, you should take care.
62       Some of the implications are below. This list should not be  considered
63       comprehensive  nor  a  substitute  for appropriate expertise; adhere to
64       your moral and institutional responsibilities.
65
66   docker equals root
67       Anyone who can run the docker command or interact with the Docker  dae‐
68       mon can trivially escalate to root.  This is considered a feature.
69
70       For  this  reason,  don’t  create  the docker group, as this will allow
71       passwordless, unlogged escalation for anyone in the group.
72
73   Images can contain bad stuff
74       Standard hygiene for “installing stuff from the internet” applies. Only
75       work  with  images  you trust. The official Docker Hub repositories can
76       help.
77
78   Containers run as root
79       By default, Docker runs container processes as  root.  In  addition  to
80       being  poor  hygiene,  this  can  be  an  escalation  path, e.g. if you
81       bind-mount host directories.
82
83   Docker alters your network configuration
84       To see what it did:
85
86          $ ifconfig    # note docker0 interface
87          $ brctl show  # note docker0 bridge
88          $ route -n
89
90   Docker installs services
91       If you don’t want the service starting automatically at boot, e.g.:
92
93          $ systemctl is-enabled docker
94          enabled
95          $ systemctl disable docker
96          $ systemctl is-enabled docker
97          disabled
98
99   Configuring for a proxy
100       By default, Docker does not work if you have a proxy, and it  fails  in
101       two different ways.
102
103       The  first  problem  is that Docker itself must be told to use a proxy.
104       This manifests as:
105
106          $ sudo docker run hello-world
107          Unable to find image 'hello-world:latest' locally
108          Pulling repository hello-world
109          Get https://index.docker.io/v1/repositories/library/hello-world/images: dial tcp 54.152.161.54:443: connection refused
110
111       If you have a systemd system, the Docker documentation explains how  to
112       configure   this.   If   you   don’t   have   a  systemd  system,  then
113       /etc/default/docker might be the place to go?
114
115       The second problem is that Docker containers need  to  know  about  the
116       proxy  as  well. This manifests as images failing to build because they
117       can’t download stuff from the internet.
118
119       The fix is to set the proxy variables in your environment, e.g.:
120
121          export HTTP_PROXY=http://proxy.example.com:8088
122          export http_proxy=$HTTP_PROXY
123          export HTTPS_PROXY=$HTTP_PROXY
124          export https_proxy=$HTTP_PROXY
125          export ALL_PROXY=$HTTP_PROXY
126          export all_proxy=$HTTP_PROXY
127          export NO_PROXY='localhost,127.0.0.1,.example.com'
128          export no_proxy=$NO_PROXY
129
130       You also need to teach sudo  to  retain  them.  Add  the  following  to
131       /etc/sudoers:
132
133          Defaults env_keep+="HTTP_PROXY http_proxy HTTPS_PROXY https_proxy ALL_PROXY all_proxy NO_PROXY no_proxy"
134
135       Because  different  programs  use different subsets of these variables,
136       and to avoid a situation where some things work and others  don’t,  the
137       Charliecloud  test suite (see below) includes a test that fails if some
138       but not all of the above variables are set.
139
141       2014–2018, Los Alamos National Security, LLC
142
143
144
145
146                  2020-01-28 00:00 Coordinated Universal Time   CH-PULL2TAR(1)
Impressum