Provided by: charliecloud_0.9.1-1_amd64 bug


       ch-build - Wrapper for "docker build" that works around some of its annoying behaviors


          $ ch-build -t TAG [ARGS ...] CONTEXT


       Build  a Docker image named TAG described by Dockerfile ./Dockerfile or as specified. This
       is a wrapper for docker build with various enhancements.

       Sudo privileges are required to run the docker command.


          --file Dockerfile to use (default: ./Dockerfile)

          -t     name (tag) of Docker image to build

          --help print help and exit

                 print version and exit

       Additional arguments are accepted and passed unchanged to docker build.


       ch-build adds the following features to docker build:

       · If there is a file Dockerfile in the current working directory and  -f  is  not  already
         specified, add -f $PWD/Dockerfile.

       · Pass the HTTP proxy environment variables through with --build-arg.

          The  suffix  :latest  is somewhat misleading, as neither ch-build nor bare docker build
          will notice if the base FROM image has been updated. Use --no-cache to  make  sure  you
          have the latest base image, at the cost of rebuilding every layer.


       Create  a  Docker  image  tagged  foo  and specified by the file Dockerfile located in the
       current working directory. Use /bar as the Docker context directory:

          $ ch-build -t foo /bar

       Equivalent to above:

          $ ch-build -t foo --file=./Dockerfile /bar

       Instead, use the Dockerfile /baz/qux.docker:

          $ ch-build -t foo --file=/baz/qux.docker /bar

       Note that calling your Dockerfile anything other than Dockerfile will confuse people.


       If Charliecloud was obtained from your Linux distribution,  use  your  distribution’s  bug
       reporting procedures.

       Otherwise, report bugs to: <>



       Full documentation at: <>


       Docker is a convenient way to build Charliecloud images. While installing Docker is beyond
       the scope of this documentation, here are a few tips.

   Understand the security implications of Docker
       Because Docker (a) makes installing random crap from the internet really easy and  (b)  is
       easy  to deploy insecurely, you should take care. Some of the implications are below. This
       list should not be considered comprehensive nor a substitute  for  appropriate  expertise;
       adhere to your moral and institutional responsibilities.

   docker equals root
       Anyone  who  can  run  the docker command or interact with the Docker daemon can trivially
       escalate to root.  This is considered a feature.

       For this reason, don’t create the docker group, as this will allow passwordless,  unlogged
       escalation for anyone in the group.

   Images can contain bad stuff
       Standard  hygiene  for “installing stuff from the internet” applies. Only work with images
       you trust. The official Docker Hub repositories can help.

   Containers run as root
       By default, Docker runs container processes as root. In addition to  being  poor  hygiene,
       this can be an escalation path, e.g. if you bind-mount host directories.

   Docker alters your network configuration
       To see what it did:

          $ ifconfig    # note docker0 interface
          $ brctl show  # note docker0 bridge
          $ route -n

   Docker installs services
       If you don’t want the service starting automatically at boot, e.g.:

          $ systemctl is-enabled docker
          $ systemctl disable docker
          $ systemctl is-enabled docker

   Configuring for a proxy
       By default, Docker does not work if you have a proxy, and it fails in two different ways.

       The first problem is that Docker itself must be told to use a proxy. This manifests as:

          $ sudo docker run hello-world
          Unable to find image 'hello-world:latest' locally
          Pulling repository hello-world
          Get dial tcp connection refused

       If  you have a systemd system, the Docker documentation explains how to configure this. If
       you don’t have a systemd system, then /etc/default/docker might be the place to go?

       The second problem is that Docker containers need to know about the proxy  as  well.  This
       manifests as images failing to build because they can’t download stuff from the internet.

       The fix is to set the proxy variables in your environment, e.g.:

          export HTTP_PROXY=
          export http_proxy=$HTTP_PROXY
          export HTTPS_PROXY=$HTTP_PROXY
          export https_proxy=$HTTP_PROXY
          export ALL_PROXY=$HTTP_PROXY
          export all_proxy=$HTTP_PROXY
          export NO_PROXY='localhost,,'
          export no_proxy=$NO_PROXY

       You also need to teach sudo to retain them. Add the following to /etc/sudoers:

          Defaults env_keep+="HTTP_PROXY http_proxy HTTPS_PROXY https_proxy ALL_PROXY all_proxy NO_PROXY no_proxy"

       Because  different  programs  use  different  subsets  of  these variables, and to avoid a
       situation where some things work and others don’t, the Charliecloud test suite (see below)
       includes a test that fails if some but not all of the above variables are set.


       Reid Priedhorsky, Tim Randles, and others


       2014–2018, Los Alamos National Security, LLC

                                    2018-08-11 20:22 GMT+00:00                        CH-BUILD(1)