mydocker run ubuntu:latest /usr/local/bin/docker-explorer echo hey
- if program exits with code
1
=> our program should exit with code 1
- Using
chroot
ensure program doesnt have access to host files - create an empty dir and
chroot
into it (also copy binary) - Rust ref: fs::chroot
fs::chroot("/sandbox")?;
std::env::set_current_dir("/")?;
// continue working in sandbox
-
we also need to copy over the binary to the new temp folder which will be the ROOT for the child proc
-
NOTE: Docker has replaced CHROOT with PIVOT-ROOT for security reasons
-
using pivot-root ref:
- given a new root and subdir of current root pivot-root moves root(of child process) to subdir and mounts that as new root point
- then we unmount the old root and leave the newly created root mount point
- guarding the process tree
- using PID namespaces we create an isolated process tree for the child process so that it cannot view/interact with host processes
- the child process must have PID = 1
-
Fetch from docker registry the contents of public images in docker hub then exec cmd with it
-
steps:
- auth
- fetch image manifest
- pull layers of img and extract to chroot dir
-
base url:
registry.hub.docker.com
-
cmd syntax:
mydocker run ubuntu:latest /bin/echo hey
-
when interacting with registry API
- prepend
library/
to img names
- prepend
-
Using JWT authentication