go
/
gvisor
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
gvisor/content/docs/user_guide/docker.md

2.7 KiB
Raw Blame History

+++ title = "Docker Quick Start" weight = 10 +++ This guide will help you quickly get started running Docker containers using gVisor.

Install gVisor

Note: gVisor supports only x86_64 and requires Linux {{< required_linux >}} (older Linux).

{{% readfile file="docs/includes/install_gvisor.md" markdown="true" %}}

Configuring Docker

Note: This guide requires Docker version 17.09.0 or greater. Refer to the Docker documentation for how to install it.

First you will need to configure Docker to use runsc by adding a runtime entry to your Docker configuration (/etc/docker/daemon.json). You may have to create this file if it does not exist. Also, some Docker versions also require you to specify the storage-driver field.

In the end, the file should look something like:

{
    "runtimes": {
        "runsc": {
            "path": "/usr/local/bin/runsc"
        }
    }
}

You must restart the Docker daemon after making changes to this file, typically this is done via systemd:

sudo systemctl restart docker

Running a container

Now run your container using the runsc runtime:

docker run --runtime=runsc --rm hello-world

You can also run a terminal to explore the container.

docker run --runtime=runsc --rm -it ubuntu /bin/bash

Many docker options are compatible with gVisor, try them out. Here is an example:

docker run --runtime=runsc --rm --link backend:database -v ~/bin:/tools:ro -p 8080:80 --cpus=0.5 -it busybox telnet towel.blinkenlights.nl

Verify the runtime

You can verify that you are running in gVisor using the dmesg command.

$ docker run --runtime=runsc -it ubuntu dmesg
[    0.000000] Starting gVisor...
[    0.354495] Daemonizing children...
[    0.564053] Constructing home...
[    0.976710] Preparing for the zombie uprising...
[    1.299083] Creating process schedule...
[    1.479987] Committing treasure map to memory...
[    1.704109] Searching for socket adapter...
[    1.748935] Generating random numbers by fair dice roll...
[    2.059747] Digging up root...
[    2.259327] Checking naughty and nice process list...
[    2.610538] Rewriting operating system in Javascript...
[    2.613217] Ready!

Note that this is easily replicated by an attacker so applications should never use dmesg to verify the runtime in a security sensitive context.

Next, look at the different options available for gVisor: platform, network, filesystem.