whalebrew/whalebrew

whalebrew in whalebrew

colltoaction opened this issue · 2 comments

colltoaction commented

If whalebrew enabled docker in docker (see #24), and also installed itself in all containers, then you could have your tools talk to each other!

Goal: my whalebrew packages can call each other.

Example: when you build with microsoft/dotnet you might want to call node or npm to do run frontend tasks.

Benefits:

  • Each tool is downloaded as needed (e.g. docker run downloads what it needs)
  • Using official images gives you faster updates and well-tested tools
  • Your environment is now composable, and updating or adding a tool automatically updates your whole environment
  • You can run complicated tools in any Linux distro (e.g. installing and running dotnet in Arch Linux is a nightmare)

Let me know what you think or if you think it's not possible!

Thanks!

tjamet commented

Hi,
Thanks for the suggestion. I tend to think this is quite possible. Although, I have a concern regarding the security of such a feature.

To allow commands to call one another we would need to run somehow whalebrew run, and hence need to bind the docker socket for each command.

This means that any command could then be able to execute roughly anything the docker API allows, including binding host volumes, runnning privileged containers ..., and hence exposing undesired data.
Being able to control what a given command can do is, for me, one of the great advantage of whalebrew, enforced by #24

This means we need to encounter a simple way to do so without providing this whole uncontrolled access

tjamet commented

I have been thinking about this issue lately and here is what I came with

Declare dependencies

Introduce a way to declare that an image depends on external commands (like io.whalebrew.config.depends="["git"]")

expose a whalebrew-in-whalebrew command

When Whalebrew starts a container, if this container has dependencies, it mounts a runnable whalebrew-in-whalebrew command (benefiting the --volumes-from option?)
this whalebrew-in-whalebrew should forward the execution to Whalebrew which will then execute the command. Communication between w-in-w and Whalebrew to be thought (unix/http socket?)

The setup is not that simple but copes well with security ensuring that the docker socket, providing root privileges, is not exposed to user land programs.