I have a centos:7 minimal image on my docker and I want to stop iptables/firewalld but the official centos:7 image that I have downloaded from docker repository does not support systemctl/service .
guide me to stop iptables/firewalld on this minimal centos:7
I tried
setenforce 0
& disabled selinux
The official centos:7 minimal image has no firewalld installed, and iptables is not running by default.
$ docker run -it centos:7 bash
[root#f4d4d29f4ca4 /]# find / -name 'fire*'
[root#f4d4d29f4ca4 /]# find / -name 'iptables*'
/etc/sysconfig/iptables-config
/etc/sysconfig/iptables
/usr/lib/systemd/system/iptables.service
/usr/sbin/iptables
/usr/sbin/iptables-save
/usr/sbin/iptables-restore
/usr/libexec/initscripts/legacy-actions/iptables
/usr/libexec/iptables
/usr/libexec/iptables/iptables.init
/usr/bin/iptables-xml
[root#f4d4d29f4ca4 /]# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.1 0.1 11748 2916 ? Ss 12:13 0:00 bash
root 40 0.0 0.1 19752 2244 ? R+ 12:16 0:00 ps aux
selinux is not installed either:
[root#f4d4d29f4ca4 /]# cat /etc/sysconfig/selinux
cat: /etc/sysconfig/selinux: No such file or directory
Related
I don't make that much experience with containers and bash script also and I am having a really hard time trying to make a directory on my host machine copy the log files from a celery container. I run docker on rootless mode.
I have a dockerfile where I create a user and group named "celery", install gosu and define a entrypoint and a cmd. On the entry point I simple exec gosu "$USER_NAME" "$#" and the CMD is
celery \
-A src.core.celery_app \
worker \
--pool=gevent \
--concurrency=5 \
--loglevel=info \
--pidfile=/var/run/celery/%n.pid \
--logfile=/var/log/celery/%n%I.log
If I run the docker compose without volumes everything works fine: I have the worker running on the container under the celery user and also the /var/log/celery/celery.log owned by celery celery.
# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
celery 1 0.0 0.0 2420 596 ? Ss 10:42 0:00 /bin/sh ./start-celeryworker
celery 12 0.8 0.5 210872 84496 ? Sl 10:42 0:01 /usr/local/bin/python /usr/local/bin/celery -A src.core...
# ls -la /var/log
total 752
drwxr-xr-x 1 celery celery 4096 Jun 24 10:42 celery
But if I try to add a volume so I can have the log files on the host volumes: <local dir>:/var/log/celery the local dir is created, but it is empty and I get a permission denied error:
File "/usr/local/lib/python3.9/logging/__init__.py", line 1175, in _open
return open(self.baseFilename, self.mode, encoding=self.encoding,
PermissionError: [Errno 13] Permission denied: '/var/log/celery/celery.log'
I even tried chmod 777 on the container file, but still get the error. I looked at the postgres official image dockerfile and entrypoint.sh, and how is the file structure of the postgres container after build (because there I can get the pgdata directory on the host under user 100069 and group jap(this is my user name - uid:gid 1000:1000)), but as I mentioned before, I don't have that much knowledge of bash.
I gave uid and gid 1003 for the celery user and group on the container and on the host the process run under 101002.
Now, if I don't create the "celery" user and group and run celery as root everything works perfectly and I the volume works too. Any ideas? tks
I am interested in getting the cpu and mem info for each individual process in a container. I know docker stats gives me the info for the entire container and docker container top tells me the processes in a container. Is it possible to combine these two actions and get the stats for each process in a container?
One option would be to use the ps command inside the container. I looked into using htop, but I believe that's designed to be used interactively:
# start example ubuntu container
docker run -d --name ubuntu ubuntu:latest tail -f /dev/null
# execute ps aux inside container
docker exec -it ubuntu ps aux
Output:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 2548 516 ? Ss 15:41 0:00 tail -f /dev/nu
root 7 0.0 0.1 5892 2924 pts/0 Rs+ 15:42 0:00 ps aux
I have a bash session in one of my containers using docker exec -it mysql-instance bash which I lost connectivity and I would like to know if I can reconnect to the same session based on the TTY. Is this possible?
user#debian64 ~> docker exec -it mysql-instance ps -A u x
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
mysql 1 0.1 1.0 1485872 116320 ? Ssl 22:29 0:00 mysqld
root 93 0.0 0.0 18508 3180 pts/0 Ss+ 22:32 0:00 bash
root 111 0.0 0.0 18508 3120 pts/1 Ss+ 22:35 0:00 /bin/bash
In this case I would like to reconnect the still running session on TTY pts/0. How can I do that?
This command
echo 1 | sudo tee /proc/sys/net/ipv6/conf/all/disable_ipv6
when run inside a CentOS docker container (running on Mac), gives:
echo 1 | sudo tee /proc/sys/net/ipv6/conf/all/disable_ipv6
tee: /proc/sys/net/ipv6/conf/all/disable_ipv6: Read-only file system
1
When run inside a CentOS virtual machine, it succeeds and gives no error.
The directory permissions inside docker container and VM are exactly the same:
VM:
$ ls -ld /proc/sys/net/ipv6/conf/all/disable_ipv6
-rw-r--r-- 1 root root 0 Jan 4 21:09 /proc/sys/net/ipv6/conf/all/disable_ipv6
docker:
$ ls -ld /proc/sys/net/ipv6/conf/all/disable_ipv6
-rw-r--r-- 1 root root 0 Jan 5 05:05 /proc/sys/net/ipv6/conf/all/disable_ipv6
This is a fresh, brand new container.
Docker version:
$ docker --version
Docker version 18.09.0, build 4d60db4
What am I missing?
Try hackish solution and add extended privileges to the container with --privileged:
$ docker run --rm -ti centos \
bash -c "echo 1 | tee /proc/sys/net/ipv6/conf/all/disable_ipv6"
tee: /proc/sys/net/ipv6/conf/all/disable_ipv6: Read-only file system
1
vs
$ docker run --privileged --rm -ti centos \
bash -c "echo 1 | tee /proc/sys/net/ipv6/conf/all/disable_ipv6"
1
You can use --cap-add to add precise privilege instead of --privileged.
However --sysctl looks like the best solution, instead of hacking networking in the container with --privileged:
$ docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 \
--rm -ti centos bash -c "cat /proc/sys/net/ipv6/conf/all/disable_ipv6"
1
I start a container with name pg.I wanted to debug a bash script in a container, so I installed bashdb in the container. I started it:
root#f8693085f270:/# /usr/share/bin/bashdb docker-entrypoint.sh postgres
I go back to the host, and do:
[eric#almond volume]$ docker exec -ti pg bash
root#f8693085f270:/# ps ajxw
PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND
0 1 1 1 ? 3746 Ss 0 0:00 bash
1 3746 3746 1 console 3746 S+ 0 0:00 /bin/bash
[eric#almond postgres]$ ps ajxw | grep docker
30613 3702 3702 30613 pts/36 3702 Sl+ 1000 0:01 docker run --name pg -v /home/eric/tmp/bashdb:/bashdb -it postgres bash
3760 8049 8049 3760 pts/19 8049 S+ 0 0:00 /bin/bash /usr/share/bin/bashdb docker-entrypoint.sh postgres
4166 8294 8294 4166 pts/9 8294 Sl+ 1000 0:00 docker exec -ti pg bash
So in the container I see a TTY entry console, which I have never seen before, and I see the debugging entry in ps on the host!
What is going on?
Docker isolates a container from the host, it doesn't isolate the host from the container. That means the host can see the processes run inside containers, though from a different name space so the pids will be different.
Attaching to console appears to be something from bashdb. It has automatic detection for the tty to direct output to, and may be getting thrown off by the Docker isolation.