2.7 KiB
+++ title = "Docker Quick Start" weight = 10 +++ This guide will help you quickly get started running Docker containers using gVisor.
Install gVisor
Note: gVisor supports only x86_64 and requires Linux {{< required_linux >}} (older Linux).
{{% readfile file="docs/includes/install_gvisor.md" markdown="true" %}}
Configuring Docker
Note: This guide requires Docker version 17.09.0 or greater. Refer to the Docker documentation for how to install it.
First you will need to configure Docker to use runsc
by adding a runtime
entry to your Docker configuration (/etc/docker/daemon.json
). You may have to
create this file if it does not exist. Also, some Docker versions also require
you to specify the storage-driver
field.
In the end, the file should look something like:
{
"runtimes": {
"runsc": {
"path": "/usr/local/bin/runsc"
}
}
}
You must restart the Docker daemon after making changes to this file, typically
this is done via systemd
:
sudo systemctl restart docker
Running a container
Now run your container using the runsc
runtime:
docker run --runtime=runsc --rm hello-world
You can also run a terminal to explore the container.
docker run --runtime=runsc --rm -it ubuntu /bin/bash
Many docker options are compatible with gVisor, try them out. Here is an example:
docker run --runtime=runsc --rm --link backend:database -v ~/bin:/tools:ro -p 8080:80 --cpus=0.5 -it busybox telnet towel.blinkenlights.nl
Verify the runtime
You can verify that you are running in gVisor using the dmesg
command.
$ docker run --runtime=runsc -it ubuntu dmesg
[ 0.000000] Starting gVisor...
[ 0.354495] Daemonizing children...
[ 0.564053] Constructing home...
[ 0.976710] Preparing for the zombie uprising...
[ 1.299083] Creating process schedule...
[ 1.479987] Committing treasure map to memory...
[ 1.704109] Searching for socket adapter...
[ 1.748935] Generating random numbers by fair dice roll...
[ 2.059747] Digging up root...
[ 2.259327] Checking naughty and nice process list...
[ 2.610538] Rewriting operating system in Javascript...
[ 2.613217] Ready!
Note that this is easily replicated by an attacker so applications should never
use dmesg
to verify the runtime in a security sensitive context.
Next, look at the different options available for gVisor: platform, network, filesystem.