Fossil SCM

Added more jq filters to the runc examples to remove further problematic things left in the automatic conversion from the Docker container configuration file to the one we provide to runc.

wyoung 2022-09-04 08:09 trunk
Commit 4e8c74797fa7ac76d265a5e89a288909be9cb2d3a5d0aa81bffff30aa938a107
Parent 56f4e2ce2f1a6a6…
1 file changed +26 -3
~ www/containers.md
M www/containers.md
+26 -3
--- www/containers.md
+++ www/containers.md
@@ -473,11 +473,17 @@
473473
 docker container start $c
474474
 docker container export $c | sudo tar -C $r -xf -
475475
 id=$(docker inspect --format="{{.Id}}" $c)
476476
 sudo cat $m/$id/config.json |
477477
 jq '.root.path = "'$r'"' |
478
- jq '.linux.cgroupsPath = ""' > $b/config.json
478
+ jq '.linux.cgroupsPath = ""' |
479
+ jq 'del(.linux.sysctl)' |
480
+ jq 'del(.linux.namespaces[] | select(.type == "network"))' |
481
+ jq 'del(.mounts[] | select(.destination == "/etc/hostname"))' |
482
+ jq 'del(.mounts[] | select(.destination == "/etc/resolv.conf"))' |
483
+ jq 'del(.mounts[] | select(.destination == "/etc/hosts"))' |
484
+ jq 'del(.hooks)' > $b/config.json
479485
 fi
480486
 ```
481487
482488
 ----
483489
@@ -500,14 +506,25 @@
500506
 The rest is generic, but you’re welcome to freestyle here. We’ll show an
501507
 example of this below.
502508
503509
 We’re using [jq] for two separate purposes:
504510
505
-1. To change the container configuration for `runc`:
511
+1. To automatically transmogrify Docker’s container configuration so it
512
+ will work with `runc`:
506513
507514
 * point it where we unpacked the container’s exported rootfs
508515
 * accede to its wish to [manage cgroups by itself][ecg]
516
+ * remove the `sysctl` calls that will break after…
517
+ * …we remove the network namespace to allow Fossil’s TCP listening
518
+ port to be available on the host; `runc` doesn’t offer the
519
+ equivalent of `docker create --publish`, and we can’t be
520
+ bothered to set up a manual mapping from the host port into the
521
+ container
522
+ * remove file bindings that point into the local runtime managed
523
+ directories; one of the things we give up by using a bare
524
+ container runner is automatic management of these files
525
+ * remove the hooks for essentially the same reason
509526
510527
 2. To make the Docker-managed machine-readable `config.json` more
511528
 human-readable, in case there are other things you want changed in
512529
 this version of the container. Exposing the `config.json` file like
513530
 this means you don’t have to rebuild the container merely to change
@@ -572,11 +589,17 @@
572589
 docker container start $c
573590
 docker container export $c > $t/rootfs.tar
574591
 id=$(docker inspect --format="{{.Id}}" $c)
575592
 sudo cat $m/$id/config.json |
576593
 jq '.root.path = "'$b/rootfs'"' |
577
- jq '.linux.cgroupsPath = ""' > $t/config.json
594
+ jq '.linux.cgroupsPath = ""' |
595
+ jq 'del(.linux.sysctl)' |
596
+ jq 'del(.linux.namespaces[] | select(.type == "network"))' |
597
+ jq 'del(.mounts[] | select(.destination == "/etc/hostname"))' |
598
+ jq 'del(.mounts[] | select(.destination == "/etc/resolv.conf"))' |
599
+ jq 'del(.mounts[] | select(.destination == "/etc/hosts"))' |
600
+ jq 'del(.hooks)' > $t/config.json
578601
 scp -r $t $h:tmp
579602
 ssh -t $h "{
580603
 mv ./$t/config.json $b &&
581604
 sudo tar -C $b/rootfs -xf ./$t/rootfs.tar &&
582605
 rm -r ./$t
583606
--- www/containers.md
+++ www/containers.md
@@ -473,11 +473,17 @@
473 docker container start $c
474 docker container export $c | sudo tar -C $r -xf -
475 id=$(docker inspect --format="{{.Id}}" $c)
476 sudo cat $m/$id/config.json |
477 jq '.root.path = "'$r'"' |
478 jq '.linux.cgroupsPath = ""' > $b/config.json
 
 
 
 
 
 
479 fi
480 ```
481
482 ----
483
@@ -500,14 +506,25 @@
500 The rest is generic, but you’re welcome to freestyle here. We’ll show an
501 example of this below.
502
503 We’re using [jq] for two separate purposes:
504
505 1. To change the container configuration for `runc`:
 
506
507 * point it where we unpacked the container’s exported rootfs
508 * accede to its wish to [manage cgroups by itself][ecg]
 
 
 
 
 
 
 
 
 
 
509
510 2. To make the Docker-managed machine-readable `config.json` more
511 human-readable, in case there are other things you want changed in
512 this version of the container. Exposing the `config.json` file like
513 this means you don’t have to rebuild the container merely to change
@@ -572,11 +589,17 @@
572 docker container start $c
573 docker container export $c > $t/rootfs.tar
574 id=$(docker inspect --format="{{.Id}}" $c)
575 sudo cat $m/$id/config.json |
576 jq '.root.path = "'$b/rootfs'"' |
577 jq '.linux.cgroupsPath = ""' > $t/config.json
 
 
 
 
 
 
578 scp -r $t $h:tmp
579 ssh -t $h "{
580 mv ./$t/config.json $b &&
581 sudo tar -C $b/rootfs -xf ./$t/rootfs.tar &&
582 rm -r ./$t
583
--- www/containers.md
+++ www/containers.md
@@ -473,11 +473,17 @@
473 docker container start $c
474 docker container export $c | sudo tar -C $r -xf -
475 id=$(docker inspect --format="{{.Id}}" $c)
476 sudo cat $m/$id/config.json |
477 jq '.root.path = "'$r'"' |
478 jq '.linux.cgroupsPath = ""' |
479 jq 'del(.linux.sysctl)' |
480 jq 'del(.linux.namespaces[] | select(.type == "network"))' |
481 jq 'del(.mounts[] | select(.destination == "/etc/hostname"))' |
482 jq 'del(.mounts[] | select(.destination == "/etc/resolv.conf"))' |
483 jq 'del(.mounts[] | select(.destination == "/etc/hosts"))' |
484 jq 'del(.hooks)' > $b/config.json
485 fi
486 ```
487
488 ----
489
@@ -500,14 +506,25 @@
506 The rest is generic, but you’re welcome to freestyle here. We’ll show an
507 example of this below.
508
509 We’re using [jq] for two separate purposes:
510
511 1. To automatically transmogrify Docker’s container configuration so it
512 will work with `runc`:
513
514 * point it where we unpacked the container’s exported rootfs
515 * accede to its wish to [manage cgroups by itself][ecg]
516 * remove the `sysctl` calls that will break after…
517 * …we remove the network namespace to allow Fossil’s TCP listening
518 port to be available on the host; `runc` doesn’t offer the
519 equivalent of `docker create --publish`, and we can’t be
520 bothered to set up a manual mapping from the host port into the
521 container
522 * remove file bindings that point into the local runtime managed
523 directories; one of the things we give up by using a bare
524 container runner is automatic management of these files
525 * remove the hooks for essentially the same reason
526
527 2. To make the Docker-managed machine-readable `config.json` more
528 human-readable, in case there are other things you want changed in
529 this version of the container. Exposing the `config.json` file like
530 this means you don’t have to rebuild the container merely to change
@@ -572,11 +589,17 @@
589 docker container start $c
590 docker container export $c > $t/rootfs.tar
591 id=$(docker inspect --format="{{.Id}}" $c)
592 sudo cat $m/$id/config.json |
593 jq '.root.path = "'$b/rootfs'"' |
594 jq '.linux.cgroupsPath = ""' |
595 jq 'del(.linux.sysctl)' |
596 jq 'del(.linux.namespaces[] | select(.type == "network"))' |
597 jq 'del(.mounts[] | select(.destination == "/etc/hostname"))' |
598 jq 'del(.mounts[] | select(.destination == "/etc/resolv.conf"))' |
599 jq 'del(.mounts[] | select(.destination == "/etc/hosts"))' |
600 jq 'del(.hooks)' > $t/config.json
601 scp -r $t $h:tmp
602 ssh -t $h "{
603 mv ./$t/config.json $b &&
604 sudo tar -C $b/rootfs -xf ./$t/rootfs.tar &&
605 rm -r ./$t
606

Keyboard Shortcuts

Open search /
Next entry (timeline) j
Previous entry (timeline) k
Open focused entry Enter
Show this help ?
Toggle theme Top nav button