1CH-UMOUNT(1) Charliecloud CH-UMOUNT(1)
2
3
4
6 ch-umount - Unmount a FUSE mounted squash filesystem and remove the
7 mount point
8
10 $ ch-umount MOUNTDIR
11
13 Unmount Charliecloud SquashFS file at target directory MOUNTDIR.
14 Remove empty MOUNTDIR after successful unmounting.
15
16 Additional arguments:
17
18 --help print help and exit
19
20 --version
21 print version and exit
22
24 $ ls /var/tmp/debian
25 bin dev home lib64 mnt proc run srv tmp var
26 boot etc lib media opt root sbin sys usr WEIRD_AL_YANKOVIC
27 $ ch-umount /var/tmp/debian
28 unmounted and removed /var/tmp/debian
29 $ ls /var/tmp/debian
30 ls: cannot access /var/tmp/debian: No such file or directory
31
33 If Charliecloud was obtained from your Linux distribution, use your
34 distribution’s bug reporting procedures.
35
36 Otherwise, report bugs to: <https://github.com/hpc/charliecloud/issues>
37
39 charliecloud(1)
40
41 Full documentation at: <https://hpc.github.io/charliecloud>
42
44 Docker is a convenient way to build Charliecloud images. While
45 installing Docker is beyond the scope of this documentation, here are a
46 few tips.
47
48 Understand the security implications of Docker
49 Because Docker (a) makes installing random crap from the internet
50 really easy and (b) is easy to deploy insecurely, you should take care.
51 Some of the implications are below. This list should not be considered
52 comprehensive nor a substitute for appropriate expertise; adhere to
53 your moral and institutional responsibilities.
54
55 docker equals root
56 Anyone who can run the docker command or interact with the Docker dae‐
57 mon can trivially escalate to root. This is considered a feature.
58
59 For this reason, don’t create the docker group, as this will allow
60 passwordless, unlogged escalation for anyone in the group.
61
62 Images can contain bad stuff
63 Standard hygiene for “installing stuff from the internet” applies. Only
64 work with images you trust. The official Docker Hub repositories can
65 help.
66
67 Containers run as root
68 By default, Docker runs container processes as root. In addition to
69 being poor hygiene, this can be an escalation path, e.g. if you
70 bind-mount host directories.
71
72 Docker alters your network configuration
73 To see what it did:
74
75 $ ifconfig # note docker0 interface
76 $ brctl show # note docker0 bridge
77 $ route -n
78
79 Docker installs services
80 If you don’t want the service starting automatically at boot, e.g.:
81
82 $ systemctl is-enabled docker
83 enabled
84 $ systemctl disable docker
85 $ systemctl is-enabled docker
86 disabled
87
88 Configuring for a proxy
89 By default, Docker does not work if you have a proxy, and it fails in
90 two different ways.
91
92 The first problem is that Docker itself must be told to use a proxy.
93 This manifests as:
94
95 $ sudo docker run hello-world
96 Unable to find image 'hello-world:latest' locally
97 Pulling repository hello-world
98 Get https://index.docker.io/v1/repositories/library/hello-world/images: dial tcp 54.152.161.54:443: connection refused
99
100 If you have a systemd system, the Docker documentation explains how to
101 configure this. If you don’t have a systemd system, then
102 /etc/default/docker might be the place to go?
103
104 The second problem is that Docker containers need to know about the
105 proxy as well. This manifests as images failing to build because they
106 can’t download stuff from the internet.
107
108 The fix is to set the proxy variables in your environment, e.g.:
109
110 export HTTP_PROXY=http://proxy.example.com:8088
111 export http_proxy=$HTTP_PROXY
112 export HTTPS_PROXY=$HTTP_PROXY
113 export https_proxy=$HTTP_PROXY
114 export ALL_PROXY=$HTTP_PROXY
115 export all_proxy=$HTTP_PROXY
116 export NO_PROXY='localhost,127.0.0.1,.example.com'
117 export no_proxy=$NO_PROXY
118
119 You also need to teach sudo to retain them. Add the following to
120 /etc/sudoers:
121
122 Defaults env_keep+="HTTP_PROXY http_proxy HTTPS_PROXY https_proxy ALL_PROXY all_proxy NO_PROXY no_proxy"
123
124 Because different programs use different subsets of these variables,
125 and to avoid a situation where some things work and others don’t, the
126 Charliecloud test suite (see below) includes a test that fails if some
127 but not all of the above variables are set.
128
130 2014–2018, Los Alamos National Security, LLC
131
132
133
134
135 2020-01-28 00:00 Coordinated Universal Time CH-UMOUNT(1)