With Docker
This documentation section explains how to install lockc on a single machine
with Docker. In order to do that, we need to install lockcd
binary and a
systemd unit for it.
Installation methods
There are two ways to do that.
Install with cargo
If you want to install lockc on a machine where you have the source code of lockc, you can do it with cargo. You need to build lockc with Cargo before that. After building lockc, you can install it with the following command.
cargo xtask install
Do not run this command with sudo! Why?
tl;dr: you will be asked for password when necessary, don't worry!
Explanation: Running cargo with sudo ends with weird consequences like not
seing cargo content from your home directory or leaving some files owned by
root in target
. When any destination directory is owned by root, sudo will
be launched automatically by xtask install
just to perform necessary
installation steps.
By default it tries to install lockcd binary in /usr/local/bin
, but the
destination directory can be changed by the following arguments:
--destdir
- the rootfs of your system, default:/
--prefix
- prefix of the most of installation destinations, default:usr/local
--bindir
- directory for binary files, default:bin
--unitdir
- directory for systemd units, default:lib/systemd/system
--sysconfdir
- directory for configuration files, default:etc
By default, binaries are installed from the debug
target profile. If you want
to change it, use the --profile
argument. --profile release
is what you
most likely want to use when packaging or installing on the production system.
Unpack the bintar
Documentation sections about:
mention Building tarball with binary and unit. To quickly sum it up, you can build a "bintar" by doing:
dapper cargo xtask bintar
or:
cargo xtask bintar
Both commands will produce a bintar available as target/[profile]/lockc.tar.gz
(i.e. target/debug/lockc.tar.gz
).
That tarball can be copied to any machine and unpacked with the following command:
sudo tar -C / -xzf lockc.tar.gz
Verify the installation
After installing lockc, you should be able to enable and start the lockcd service:
sudo systemctl enable --now lockcd
After starting the service, you can verify that lockc is running by trying to run a "not containing" container, like:
$ docker run --rm -it -v /:/rootfs registry.opensuse.org/opensuse/toolbox:latest
docker: Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:76: mounting "/" to rootfs at "/rootfs" caused: mount through procfd: operation not permitted: unknown.
ERRO[0020] error waiting for container: context canceled
Or you can try to run a less insecure container and try to ls
the contents
of /sys
:
$ docker run --rm -it registry.opensuse.org/opensuse/toolbox:latest
9b34d760017f:/ # ls /sys
ls: cannot open directory '/sys': Operation not permitted
9b34d760017f:/ # ls /sys/fs/btrfs
ls: cannot access '/sys/fs/btrfs': No such file or directory
9b34d760017f:/ # ls /sys/fs/cgroup
blkio cpu,cpuacct cpuset freezer memory net_cls net_prio pids systemd
cpu cpuacct devices hugetlb misc net_cls,net_prio perf_event rdma
You should be able to see cgroups (which is fine), but other parts of /sys should be hidden.
However, running insecure containers as root with privileged
policy level
should work:
$ sudo -i
# docker run --label org.lockc.policy=privileged --rm -it -v /:/rootfs registry.opensuse.org/opensuse/toolbox:latest bash
8ea310609fce:/ #