Provided by: charliecloud_0.9.1-1_amd64 bug

NAME

       ch-docker-run - Run a command in a Docker container

SYNOPSIS

          $ ch-docker-run [-i] [-b HOSTDIR:GUESTDIR ...] TAG CMD [ARGS ...]

DESCRIPTION

       Runs the command CMD in a Docker container using the image named TAG.

       Sudo privileges are required for docker run.

       CMD  is  run  under your user ID. The users and groups inside the container match those on
       the host.

       NOTE:
          This command is intended as  a  convenience  for  debugging  images  and  Charliecloud.
          Routine use for running applications is not recommended.  Instead, use ch-run.

       Arguments:

          -i     run interactively with a pseudo-TTY

          -b     bind-mount HOSTDIR at GUESTDIR inside the container (can be repeated)

          --help print help and exit

          --version
                 print version and exit

REPORTING BUGS

       If  Charliecloud  was  obtained  from your Linux distribution, use your distribution’s bug
       reporting procedures.

       Otherwise, report bugs to: <https://github.com/hpc/charliecloud/issues>

SEE ALSO

       charliecloud(1)

       Full documentation at: <https://hpc.github.io/charliecloud>

DOCKER TIPS

       Docker is a convenient way to build Charliecloud images. While installing Docker is beyond
       the scope of this documentation, here are a few tips.

   Understand the security implications of Docker
       Because  Docker  (a) makes installing random crap from the internet really easy and (b) is
       easy to deploy insecurely, you should take care. Some of the implications are below.  This
       list  should  not  be considered comprehensive nor a substitute for appropriate expertise;
       adhere to your moral and institutional responsibilities.

   docker equals root
       Anyone who can run the docker command or interact with the  Docker  daemon  can  trivially
       escalate to root.  This is considered a feature.

       For  this reason, don’t create the docker group, as this will allow passwordless, unlogged
       escalation for anyone in the group.

   Images can contain bad stuff
       Standard hygiene for “installing stuff from the internet” applies. Only work  with  images
       you trust. The official Docker Hub repositories can help.

   Containers run as root
       By  default,  Docker  runs container processes as root. In addition to being poor hygiene,
       this can be an escalation path, e.g. if you bind-mount host directories.

   Docker alters your network configuration
       To see what it did:

          $ ifconfig    # note docker0 interface
          $ brctl show  # note docker0 bridge
          $ route -n

   Docker installs services
       If you don’t want the service starting automatically at boot, e.g.:

          $ systemctl is-enabled docker
          enabled
          $ systemctl disable docker
          $ systemctl is-enabled docker
          disabled

   Configuring for a proxy
       By default, Docker does not work if you have a proxy, and it fails in two different ways.

       The first problem is that Docker itself must be told to use a proxy. This manifests as:

          $ sudo docker run hello-world
          Unable to find image 'hello-world:latest' locally
          Pulling repository hello-world
          Get https://index.docker.io/v1/repositories/library/hello-world/images: dial tcp 54.152.161.54:443: connection refused

       If you have a systemd system, the Docker documentation explains how to configure this.  If
       you don’t have a systemd system, then /etc/default/docker might be the place to go?

       The  second  problem  is that Docker containers need to know about the proxy as well. This
       manifests as images failing to build because they can’t download stuff from the internet.

       The fix is to set the proxy variables in your environment, e.g.:

          export HTTP_PROXY=http://proxy.example.com:8088
          export http_proxy=$HTTP_PROXY
          export HTTPS_PROXY=$HTTP_PROXY
          export https_proxy=$HTTP_PROXY
          export ALL_PROXY=$HTTP_PROXY
          export all_proxy=$HTTP_PROXY
          export NO_PROXY='localhost,127.0.0.1,.example.com'
          export no_proxy=$NO_PROXY

       You also need to teach sudo to retain them. Add the following to /etc/sudoers:

          Defaults env_keep+="HTTP_PROXY http_proxy HTTPS_PROXY https_proxy ALL_PROXY all_proxy NO_PROXY no_proxy"

       Because different programs use different subsets  of  these  variables,  and  to  avoid  a
       situation where some things work and others don’t, the Charliecloud test suite (see below)
       includes a test that fails if some but not all of the above variables are set.

AUTHOR

       Reid Priedhorsky, Tim Randles, and others

COPYRIGHT

       2014–2018, Los Alamos National Security, LLC

                                    2018-08-11 20:22 GMT+00:00                   CH-DOCKER-RUN(1)