1CH-PULL2TAR(1) Charliecloud CH-PULL2TAR(1)
2
3
4
6 ch-pull2tar - Pull image from a Docker Hub and flatten into tarball
7
9 $ ch-pull2tar IMAGE[:TAG] OUTDIR
10
12 Pull a Docker image named IMAGE[:TAG] from Docker Hub and flatten it
13 into a Charliecloud tarball in directory OUTDIR.
14
15 This runs the following command sequence: docker pull, ch-builder2tar
16 but provides less flexibility than the individual commands.
17
18 Sudo privileges are required for docker pull.
19
20 Additional arguments:
21
22 --help print help and exit
23
24 --version
25 print version and exit
26
28 $ ch-pull2tar alpine /var/tmp
29 Using default tag: latest
30 latest: Pulling from library/alpine
31 Digest: sha256:621c2f39f8133acb8e64023a94dbdf0d5ca81896102b9e57c0dc184cadaf5528
32 Status: Image is up to date for alpine:latest
33 -rw-r--r--. 1 charlie charlie 2.1M Oct 5 19:52 /var/tmp/alpine.tar.gz
34
35 Same as above, except optional TAG is specified:
36
37 $ ch-pull2tar alpine:3.6
38 3.6: Pulling from library/alpine
39 Digest: sha256:cc24af836d1377e092ecb4e8f0a4324c3b1aa2b5295c2239edcc7bbc86a9cbc6
40 Status: Image is up to date for alpine:3.6
41 -rw-r--r--. 1 charlie charlie 2.1M Oct 5 19:54 /var/tmp/alpine:3.6.tar.gz
42
44 If Charliecloud was obtained from your Linux distribution, use your
45 distribution’s bug reporting procedures.
46
47 Otherwise, report bugs to: <https://github.com/hpc/charliecloud/issues>
48
50 charliecloud(1)
51
52 Full documentation at: <https://hpc.github.io/charliecloud>
53
55 Docker is a convenient way to build Charliecloud images. While
56 installing Docker is beyond the scope of this documentation, here are a
57 few tips.
58
59 Understand the security implications of Docker
60 Because Docker (a) makes installing random crap from the internet
61 really easy and (b) is easy to deploy insecurely, you should take care.
62 Some of the implications are below. This list should not be considered
63 comprehensive nor a substitute for appropriate expertise; adhere to
64 your moral and institutional responsibilities.
65
66 docker equals root
67 Anyone who can run the docker command or interact with the Docker dae‐
68 mon can trivially escalate to root. This is considered a feature.
69
70 For this reason, don’t create the docker group, as this will allow
71 passwordless, unlogged escalation for anyone in the group.
72
73 Images can contain bad stuff
74 Standard hygiene for “installing stuff from the internet” applies. Only
75 work with images you trust. The official Docker Hub repositories can
76 help.
77
78 Containers run as root
79 By default, Docker runs container processes as root. In addition to
80 being poor hygiene, this can be an escalation path, e.g. if you
81 bind-mount host directories.
82
83 Docker alters your network configuration
84 To see what it did:
85
86 $ ifconfig # note docker0 interface
87 $ brctl show # note docker0 bridge
88 $ route -n
89
90 Docker installs services
91 If you don’t want the service starting automatically at boot, e.g.:
92
93 $ systemctl is-enabled docker
94 enabled
95 $ systemctl disable docker
96 $ systemctl is-enabled docker
97 disabled
98
99 Configuring for a proxy
100 By default, Docker does not work if you have a proxy, and it fails in
101 two different ways.
102
103 The first problem is that Docker itself must be told to use a proxy.
104 This manifests as:
105
106 $ sudo docker run hello-world
107 Unable to find image 'hello-world:latest' locally
108 Pulling repository hello-world
109 Get https://index.docker.io/v1/repositories/library/hello-world/images: dial tcp 54.152.161.54:443: connection refused
110
111 If you have a systemd system, the Docker documentation explains how to
112 configure this. If you don’t have a systemd system, then
113 /etc/default/docker might be the place to go?
114
115 The second problem is that Docker containers need to know about the
116 proxy as well. This manifests as images failing to build because they
117 can’t download stuff from the internet.
118
119 The fix is to set the proxy variables in your environment, e.g.:
120
121 export HTTP_PROXY=http://proxy.example.com:8088
122 export http_proxy=$HTTP_PROXY
123 export HTTPS_PROXY=$HTTP_PROXY
124 export https_proxy=$HTTP_PROXY
125 export ALL_PROXY=$HTTP_PROXY
126 export all_proxy=$HTTP_PROXY
127 export NO_PROXY='localhost,127.0.0.1,.example.com'
128 export no_proxy=$NO_PROXY
129
130 You also need to teach sudo to retain them. Add the following to
131 /etc/sudoers:
132
133 Defaults env_keep+="HTTP_PROXY http_proxy HTTPS_PROXY https_proxy ALL_PROXY all_proxy NO_PROXY no_proxy"
134
135 Because different programs use different subsets of these variables,
136 and to avoid a situation where some things work and others don’t, the
137 Charliecloud test suite (see below) includes a test that fails if some
138 but not all of the above variables are set.
139
141 2014–2018, Los Alamos National Security, LLC
142
143
144
145
146 2020-01-28 00:00 Coordinated Universal Time CH-PULL2TAR(1)