LINUX AND VMWARE STUFF

This Blog is to share our knowledge and expertise on Linux System Administration and VMware Administration

Tuesday, January 16, 2018

Working with Docker Container - Getting privileged access inside a container

Tuesday, January 16, 2018 0

Getting privileged access inside a container

Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities (run man capabilities on a Linux-based system), which can be independently enabled and disabled. For example, the net_bind_service capability allows nonuser processes to bind the port below 1,024. By default, Docker starts containers with limited capabilities. With privileged access inside the container, we give more capabilities to perform operations normally done by root. For example, let's try to create a loopback device while mounting a disk image.

 Syntax : docker run --privileged [ OPTIONS ]  IMAGE[:TAG]  [COMMAND]  [ARG...] 

 root@Docker:~# docker run --privileged -i -t centos /bin/bash
[root@89f516205250 /]#
[root@89f516205250 /]# dd if=/dev/zero of=disk.img bs=1M count=10 &> /dev/null
[root@89f516205250 /]# mkfs -t minix disk.img &> /dev/null
[root@89f516205250 /]# mount disk.img /mnt/
[root@89f516205250 /]# mount | grep -i disk
/var/lib/docker/aufs/diff/72bebd0aff7bf4dbbd74495a41884d3113f2dedbfcffa3c82256abced73b0b21/disk.img on /mnt type minix (rw,relatime)
[root@89f516205250 /]# df -hP | grep -i /mnt
/dev/loop0                   9.9M  1.0K  9.9M   1% /mnt
[root@89f516205250 /]# cd /mnt/
[root@89f516205250 mnt]# echo "This is docker test" > test
[root@89f516205250 mnt]# cat test
This is docker test

 This mode causes security risks as containers can get root-level access on the Docker host. With Docker 1.2 or new, two new flags --cap-add and --cap-del have been added to give fine-grained control inside a container. For example, to prevent any chown inside the container, use the following command:

  docker run --cap-drop=CHOWN [ OPTIONS ]  IMAGE[:TAG]  [COMMAND]  [ARG...]
root@Docker:~# docker run --cap-drop=CHOWN  -i -t centos /bin/bash
[root@5c536ea0d181 /]# chown root:adm mnt
chown: changing ownership of 'mnt': Operation not permitted

 For help with the docker run use --help
Tags # Docker Continue Reading
By v�o l�c No comments:
Labels:

Monday, January 15, 2018

Working with Docker Container - Deleting a container

Monday, January 15, 2018 0

Deleting a container

We can delete a container permanently, but before that we have to stop the container or use the force option. In this recipe, we'll start, stop, and delete a container.
Syntax : docker rm [ OPTIONS ] CONTAINER [ CONTAINER ]

 Let's first start a container, stop it, and then delete it using the following commands:

 root@Docker:~# id=`docker run -d -i centos /bin/bash`
root@Docker:~# docker stop $id
e62286794466459f2dd08d5f1cec0749187247ffabb5224d6b6b3aae334d4bf8
root@Docker:~# docker rm $id
e62286794466459f2dd08d5f1cec0749187247ffabb5224d6b6b3aae334d4bf8

 To forcefully delete a container without an intermediate stop, use the -f option.

 To delete all the containers, we first need to stop all the running containers and then remove them. Be careful before running the commands as these will delete both the running and the stopped containers:

 root@Docker:~# docker stop `docker ps -q`
root@Docker:~# docker rm `docker ps -q`

 For help with the docker rm use --help
Tags # Docker Continue Reading
By v�o l�c No comments:
Labels:

Sunday, January 14, 2018

Basics of YAML - Ansible

Sunday, January 14, 2018 0

YAML

YAML, like many other data serialization languages (such as JSON), has very few, basic concepts:

 Declarations
Lists
Associative arrays

 A declaration is very similar to a variable in any other language, that is:
name: 'This is the name' 

 To create a list, we will have to use '-':
- 'item1' 
- 'item2' 
- 'item3' 
YAML uses indentation to logically divide parents from children. So if we want to create associative arrays (also known as objects), we would just need to add an indentation:

 item: 
  name: TheName 
  location: TheLocation 
Obviously, we can mix those together, that is:

 people: 
  - name: Jhon
    number: +91123456
    country: India
  - name: Cena
    number: +44763520 
    country: UK 
Those are the basics of YAML. YAML can do much more, but for now this will be enough.
Tags # Ansible Continue Reading
By v�o l�c No comments:
Labels:

Working with Docker Container - Stopping a container

Sunday, January 14, 2018 0

Stopping a container

We can stop one or more containers at once. In this recipe, we will first start a container and then stop it.
Syntax : docker stop [-t|--time[=10]] CONTAINER [CONTAINER...]

root@Docker:~# docker stop fb83a04222c7
fb83a04222c7

This will save the state of the container and stop it. It can be started again, if needed.

 To stop a container after waiting for some time, use the --time/-t option.

 To stop all the running containers run the following command:

 root@Docker:~# docker stop `docker ps -q`
5d950a3835d6
32238eabfac4

 For help with the docker stop use --help
Tags # Docker Continue Reading
By v�o l�c No comments:
Labels:

Friday, January 12, 2018

Which command is used to run sudo commands without password

Friday, January 12, 2018 0
Command used to run sudo commands without password

 NAME
     sudo - execute a command as another user

sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy.

 But here option s is used to run the privileged commands without password.

 [nsk@testserver ~]$ sudo -s /etc/init.d/nslcd restart
Stopping nslcd:                                            [  OK  ]
Starting nslcd:                                              [  OK  ]
[nsk@testserver ~]$

 Here,
-s [command] The -s (shell) option runs the shell specified by the SHELL environment variable if it is set or the shell as specified in the password database.  If a command is specified, it is passed to the shell for execution via the shell’s -c option.  If no command is specified, an interactive shell is executed.
Tags # Linux General Continue Reading
By v�o l�c No comments:
Labels:

Thursday, January 11, 2018

Working with Docker Container - Listing containers

Thursday, January 11, 2018 0

Listing containers

We can list both running and stopped containers.

 Syntax: docker ps [ OPTIONS ]
The Docker daemon can look at the metadata associated with the containers and list them down. By default, the command returns:

 The container ID
The image from which it got created
The command that was run after starting the container
The details about when it got created
The current status
The ports that are exposed from the container
The name of the container

 root@Docker:~# docker ps -a


To return just the container IDs of all the containers, use the -aq option as follows:
root@Docker:~# docker ps -aq
b613fbc39be2
e3bfe67aa175
8813d555d0dc
6d65e303381c
5d950a3835d6
32238eabfac4
d38d94f8b88c
ce065a026516
13b10b8f321d
40f35204ce70
1b6ecbd6a091
d1c871755f38

 To show the last created container, including the non-running container, run the following command:
root@Docker:~# docker ps -l
CONTAINER ID   IMAGE   COMMAND    CREATED       STATUS       PORTS  NAMES
b613fbc39be2      centos    "/bin/bash"     8 minutes ago  Up 8 minutes             sad_shannon

 For help with the docker ps use --help
Tags # Docker Continue Reading
By v�o l�c No comments:
Labels:

Display the timestamping capabilities of particular interface of Linux Server.

Thursday, January 11, 2018 0
Many NICs support software timestamping, but to query your own interface, use the below command, which will display the timestamping capabilities of particular interface

 NAME
       ethtool - query or control network driver and hardware settings

 [root@nsk ~]# ethtool -T enp0s3
Time stamping parameters for enp0s3:
Capabilities:
        software-transmit     (SOF_TIMESTAMPING_TX_SOFTWARE)
        software-receive      (SOF_TIMESTAMPING_RX_SOFTWARE)
        software-system-clock (SOF_TIMESTAMPING_SOFTWARE)
PTP Hardware Clock: none
Hardware Transmit Timestamp Modes: none
Hardware Receive Filter Modes: none
[root@nsk ~]#
Tags # Linux Troubleshooting Continue Reading
By v�o l�c No comments:
Labels:

Monday, January 8, 2018

Working with Docker Container - Starting a container

Monday, January 08, 2018 0

Starting a container

Listing images

 We can list the images available on the system running the Docker daemon. These images might have been pulled from the registry, imported through the docker command, or created through Docker files.
root@Docker:~# docker images
REPOSITORY                     TAG                 IMAGE ID               CREATED            SIZE
nskselvan/nsk                      latest              b2f0c17eed23        2 months ago        197MB
centos-latest                        latest              2083898799b1       2 months ago        197MB
wordpress                            latest              224b7eef6944        3 months ago        408MB
mysql                                   5.7                  b4e78b89bcf3        3 months ago        412MB
registry                                 2                    28525f9a6e46         3 months ago        33.2MB
localhost:5000/reg               latest              28525f9a6e46         3 months ago        33.2MB
centos                                  latest             196e0ce0c9fb          3 months ago        197MB
localhost:5000/centos-ka     latest             196e0ce0c9fb          3 months ago        197MB

For help with the docker images use --help

 Once we have images, we can use them to start the containers. In this recipe, we will start a container with the fedora:latest image and see what all things happen behind the scene.
syntax  : docker run [ OPTIONS ]  IMAGE[:TAG]  [COMMAND]  [ARG...]

 root@Docker:~# docker run -i -t --name=centos centos /bin/bash
[root@6d65e303381c /]# uptime
 04:07:13 up  1:02,  0 users,  load average: 0.02, 0.01, 0.00

 Here,
The -i option starts the container in the interactive mode
The -t option allocates a pseudo-tty and attaches it to the standard input

 So, with the preceding command, we start a container from the centos:latest image, attach pseudo-tty, name it centos, and run the /bin/bash command. If the name is not specified, then a random string will be assigned as the name.
Also, if the image is not available locally, then it will get downloaded from the registry first and then run. Docker will run the search and pull commands before running the run command.

 Under the hood, Docker:

 Will merge all the layers that make that image using UnionFS.
Allocates a unique ID to a container, which is referred to as Container ID.
Allocates a filesystem and mounts a read/write layer for the container. Any changes on this layer will be temporary and will be discarded if they are not committed.
Allocates a network/bridge interface.
Assigns an IP address to the container.
Executes the process specified by the user.
Also, with the default Docker configuration, it creates a directory with the container's ID inside /var/lib/docker/containers, which has the container's specific information such as hostname, configuration details, logs, and /etc/hosts.

 To exit from the container, press Ctrl + D or type exit. It is similar to exiting from a shell but this will stop the container.
The run command creates and starts the container. With Docker 1.3 or later, it is possible to just create the container using the create command and run it later using the start command, as shown in the following example:

 root@Docker:~# ID=$(docker create -t -i centos bash)
root@Docker:~# docker start -a -i $ID
[root@8813d555d0dc /]#

 The container can be started in the background and then we can attach to it whenever needed. We need to use the -d option to start the container in the background:
root@Docker:~# docker run -d -i -t centos /bin/bash
e3bfe67aa1759c5ccd0e8e061595b8214881673c4df599f9652a58369df7d948

 The preceding command returns the container ID of the container to which we can attach later, as follows:
root@Docker:~# docker attach e3bfe67aa1759c5ccd0e8e061595b8214881673c4df599f9652a58369df7d948
[root@e3bfe67aa175 /]#

 The --read-only option of the run command will mount the root filesystem in the read-only mode:
root@Docker:~# docker run --read-only -d -i -t centos /bin/bash
b613fbc39be2b46cbc485d76bae3f2e7f1781c570e32b6509dab5345d45b6e04

 Note: this option just makes sure that we cannot modify anything on the root filesystem, but we are writing on volumes
For help with the docker run use --help
Tags # Docker Continue Reading
By v�o l�c No comments:
Labels: