Docker and BusyBox

Ever heard of  Busybox or you are like me living in a cave. YAS today heard of it

BusyBox: The Swiss Army Knife of Embedded Linux

Its so tiny that the Docker image is only few mb in my case 2.433 MB

Dockerizing BusyBox

To Run BusyBox 
docker run --rm -it busybox

This will drop you into sh shell.

You can use Busybox to test your static binaries For example

1. Create a Dockerfile for a binary

From busybox
copy my-binary /my-binary
CMD ["/my-binary"]

2. Now build the image
docker build -t my-binary:v1 .

3. Finally run the container from the image to test your binary
docker run --rm -it my-binary:v1

Happy dockerizing

Oracle Linux Image for Docker

Everyone is talking about Docker these days, Oracle also took the notice and recently make Oracle Linux 6 and 7 images available for Docker.

Note: Oracle Linux is rebuild of RHEL same as Centos or Scientific Linux. ;)

Lets try to containerize the oracle linux OL7

1. Assuming Docker is already installed on your favorite Linux distro

2. Download the Oracle Linux image

3. Uncompress it , this will give oraclelinux-7.0.tar in the current directory
$ unxz oraclelinux-7.0.tar.xz

4. Load the image to your local Docker repository.
# docker load -i unxz oraclelinux-7.0.tar

5. check local image repo

# docker images

REPOSITORY           TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
oraclelinux          7.0                 5f1be1559ccf        3 weeks ago         265.2 MB
askhan/salt-minion   v1                  9b40143974c1        9 weeks ago         294.6 MB

6. Finally run container based on OL7 image
# docker run --rm -it --name oracle7 oraclelinux:7.0 bash

7. Now inside the container
[root@fcc43a277822 /]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.0 (Maipo)

Hey what this is RHEL...come on make your own Linux distro to better serve the community. (Oracle)

Docker - Untagged images

sudo docker images --filter "dangling=true"

$ sudo docker images --filter "dangling=true"


REPOSITORY  TAG          IMAGE ID        CREATED     VIRTUAL SIZE
none                       8c39e8847482        5 hours ago         4.799 GB
none                        1e422624b663        5 hours ago         4.799 GB
none                        889bb1e7a182        7 hours ago         361.7 MB

This will display untagged images, that are the leaves of the images tree (not intermediary layers). These images occur when a new build of an image takes the repo:tag away from the image ID, leaving it untagged. A warning will be issued if trying to remove an image when a container is presently using it. By having this flag it allows for batch cleanup.

To remove untagged images

$ sudo docker rmi $(sudo docker images -f "dangling=true" -q)

Deleted: 8c39e8847482dc326fe38a0ad081d6f07692cf960ad8a60b9dbcd23e8e5f8237
Deleted: 5352141119ef008c0f8b86c716fff56b193b51cd24275e6865155e82a68d90d1
Deleted: 1e422624b663f5bcc17942311ee0bf6c050a3c72287edb00b55b9b7150c84038
Deleted: 43b55a8043f57522807cb4fd2e3801730b0d1d5bfe06c56138cc724be31f9a3f
Deleted: 42cc277fae8850bc2d2238b09932bc158f82d85df6d14491628da13bc9f8f5d7
Deleted: 3770e4be4740d3826f3084d0edfa63376605804c37f0c1f8d3de540562cad3ad
Deleted: ecafe52bc8ecf1195dbbb4654e5f3627f9607dce5cc7015e2fe1d667083b3a19
Deleted: 0c2ed3587fa939e32af3a5330a8a93c19bd210dc0d1c6cbf3e2da4e04b1eec44
Deleted: 5b5278f9083cb4c05a673698c83890977ffd21e11f2047a6731361ffa5bac6dd
Deleted: 33d4b2ed6b3885493892e17a642f5535bccc68deebfab82e9f97aa4942b37c05
Deleted: bbf510a7340697608c24e61be82ca0e12ea7be746806f481f8da0dec4e1f33b1
Deleted: 39288867bab065f8bf297f0a9c1708615e42427435666380c510540abfc39589
Deleted: ac25dd76fbcfd9c9108669f020b1d5d4eff77030591a4ce2fb346d14677c9b02
Deleted: 66247125226f32376d3731e9294f069e87c94dbd97b5cb29fc4d3cfa78092f13
Deleted: 6109906a8f91f6c72dbc24e5b23ec981f4f6ea27b2cfe47bec6a4c1d0b7ec71b
Deleted: 883939159dd96fd6cf40b3bc0fa0ae1d71dc2cc4aebb187948bb3bc5b6013959
Deleted: 889bb1e7a182d2e6a146cf4fb72015171f8c4fcb58b2294650db02126d7287d3
Deleted: ab174de7a01d3c8a10fb003e2fbb296f7d2dca21c2485f88f0afaadcb82e4def
Deleted: f31fa04bf31d366f9b72d49dce13b15cb2aafcae232d872164beb56c4c3bd178
Deleted: 40a48a6b1f4b31498047e0f3b918071f6ca9597994266a45fce7b39d929971c3
Deleted: 809eb6bc51974ebc6d5949c31db89ff46f8b9ef8b7259b8c99019b62eff49b4b
Deleted: 006f1bd2da6d5f834ad6d2402d8c1155aace711e3434904be3483e6c6861e97d
Deleted: 0c92cae6419cb1d6982698baebc26006c48b06f66b1c31a2add81e1518093b0d
Deleted: c602b1c4d4cbe989db12e0e07b55315fc1f950f8982dc23b0aaac83b9d7322e0
Deleted: d4718839b6a8e008c6873ded5bd023e2952f583982ab4e0c6a69f4133c047785
Deleted: 55d2c09e4784bdd28972b3fe0f6900ba1f2dee323192e989648be0495417cba1
Deleted: 20afcdfe2ea7b5d6e4cc541c4a66f0cf7395b1520a14c36ad7b89bf703250586

This give me around 10GB free disk space.

Upgrading Docker using the script

In my previous post we used the script available from Docker site to help with installing Docker.

Using the same script one can upgrade the Docker.

Before upgrading Docker

sudo docker version Client version: 1.2.0 Client API version: 1.14 Go version (client): go1.3.1 Git commit (client): fa7b24f OS/Arch (client): linux/amd64 Server version: 1.2.0 Server API version: 1.14 Go version (server): go1.3.1 Git commit (server): fa7b24f

Execute script to install newer version of Docker

$ curlhttps://get.docker.io/ | sudo sh 

Once the script finished, Docker 1.3.1 is installed and Docker daemon was automatically started.

$ sudo docker version Client version: 1.3.1 Client API version: 1.15 Go version (client): go1.3.3 Git commit (client): 4e9bbfa OS/Arch (client): linux/amd64 Server version: 1.3.1 Server API version: 1.15 Go version (server): go1.3.3 Git commit (server): 4e9bbfa


   

Deleting a Docker container

If you are finished with a container, you can delete it using the docker rm command.

You must stop it first using the docker stop command or docker kill command.

Deleting a container

# docker rm ba1d58bfb1dc

ba1d58bfb1dc

Deleting a running container

# docker rm –f ba1d58bfb1dc

Deleting all containers

There is currently no command to delete all containers but you can combine docker ps –a and docker ps –q to delete all containers.

# docker rm $(docker ps -a -q)

ps –a list all the containers

ps -q list the ids of all containers

Attaching to docker container

You launched your Docker container with

sudo docker –run –I –t –name grey_cat centos /bin/bash

This creates the container name “grey_cat” from base image “centos” and ran the bash shell inside it, the container’s is presented.

Once you are done with the container you type “exit” which stop the container and get back to you host shell.

So what happened to container? The container still exists; we can show a list of current containers using the docker ps -a command

To start the stopped container

sudo docker start grey_cat

This start the container with the same options when it was launched with docker run command.

To attach to the interactive session we can use attach command

sudo docker attach grey_cat

You might need to Enter to get the command prompt.

Docker Installation Script

It’s easy to install Docker using your distro package management system for example in Centos, Redhat, Fedora using yum and, in Ubuntu, Debian using apt-get.

There is also a simple curl script available to help with installing Docker.

- Make sure curl is install, if not first install it.

- Now install Docker from installation script

$ curl -sSL https://get.docker.io/ubuntu/ | sudo sh

- To verify that everything has worked as expected:

$ sudo docker run -i -t ubuntu /bin/bash

This should download the Ubuntu image, and then start bash in a container.

Linux Bash Vulnerability CVE-2014-6271 ("Shellshock")

There is apparently a vulnerability in bash http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
 

Summary:

Vulnerability has been found where variables that control the environment of the Linux system can be sent to the Bash application and when the Bash application starts, the content of the variable will be executed. This vulnerability allows a hacker to inject malicious code that the Bash application will run without validation. In a worst case scenario, this can allow the hacker to gain control of the system.

The bug lies in Bash's handling of environment variables: when assigning a function to a variable, trailing code in the function definition will be executed, leaving the door wide open for code-injection attacks. The vulnerability is exploitable remotely if code can be smuggled into environment variables sent over the network – and it's surprisingly easy to do so.

Systems Affected

Linux (all OS versions containing Bash GNU 4.3 or earlier)
Mac OSX (v10.9.5 and earlier) NOTE: Not confirmed yet but suspected

Freebsd running bash version <= 4.3

Test if your servers is vulnerable:

Execute the following code on bash shell

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

vulnerable

this is a test

If you get the output “vulnerable” then your system is affected.

Installing update

Most of the distros already patched bash and released an update, install the update using your distro package management system.  A GNU Bashpatch is also available for experienced users and administrators to implement.

I am running couple of latest Ubuntu (Trusty) virtual machines, and when I checked they already released bash updates (4.3-7ubuntu1.1)

sudo apt-get update        # Fetches the list of available updates

sudo apt-get dist-upgrade  # Installs updates

Test after installing update

# env x='() { :;}; echo vulnerable' bash -c "echo this is "

bash: warning: x: ignoring function definition attempt

bash: error importing function definition for `x'

this is a test

Bravo the system is now patched and no more worries about bash shellshock :)