Runc Containers on the Desktop
Almost exactly a year ago, I wrote a post about running Docker Containers on the Desktop. Well it is a new year, and I have ended up converting all my docker containers to runc configs, so it’s the perfect time for a new blog post.
For those of you unfamiliar with the Open Container Initiative you should check out opencontainers.org.
Why the switch? you ask… well let me explain.
Our fellow Docker maintainer and pal Phil Estes made an awesome patch to add user namespaces to Docker.
Now me, being the completely insane containerizer that I am, desperately wanted to run all my crazy sound/video device mounting containers in user namespaces.
Well the way this could work is by having a custom
gid_map for the
video groups to map to the host groups so we can have permission to access
these devices in the container. In layman’s terms, I basically wanted to poke a
teeny tiny map in the user namespace to be able to have permission to use my sound
and video devices.
Obviously this was not the design of the feature, but since
runc exposes the
gidMappings, I knew I could have the power to do as I please.
This is the awesome thing about
runc. You, the user, have all the control.
So for chrome, this is what you get for mappings:
If you look closely, or know what you are looking at, you can see group
are mapped to the same group ids as the host.
Then you can do cool things like listen to Taylor Swift in a container with a user namespace.
Pretty cool right. So I went all OCD on this, like most things I encounter, and I converted all my containers. Obviously I found a way to generate them.
riddler will take a running/stopped docker container and convert the inspect information
into the oci spec
(which can be run by
runc, or any other oci compatible tool).
It has some opinionated features in that it will always try to set up a
that works with your devices. You can also pass custom hooks to automatically add
to the runc config as
poststop hooks. Which leads
me to the next tool I built.
Say hello to github.com/jessfraz/netns!
So you want your runc containers to have networking, eh? How about something super
simple like a bridge?
netns does just that. It sets up a bridge network
for all your runc containers when added via the
netns even saves the ip for the container in a
.ip file in the directory with
your config. Then other hooks can use this to do other things. For instance I use
hostess cli to then add an entry to
/etc/hosts file, so I don’t have to remember the ip for the container
when I want to reach it.
You can find all my hook scripts in github.com/jessfraz/containers:hack/scripts.
The last tool I made was a copy of
docker stats for
runc. But what I really wanted
was the new
pids cgroup stats, that Aleksa Sarai added
to the kernel and runc (and soon docker ;).
runc has a command
runc events which outputs json stats in an interval. All you have
to do is pipe that to magneto to get the awesome ux.
The following is for my chrome container:
$ sudo runc events | magneto
All the configs
If you are interested in all the configs for my containers, checkout github.com/jessfraz/containers.
I even included a
systemd service file
that can easily run any container (without a tty) in this directory via:
$ sudo systemctl start runc@foldername # for example: $ sudo systemctl start runc@chrome
NOTE: Keep in mind since these are generated a lot of the filepaths are hardcoded for things on my host. So if you try to run these and aren’t me I don’t want to hear any whining.