Re: [atomic-devel] docker binary

[Waldemar Augustyn <waldemar astyn com>]

On 07/21/2015 07:47 AM, Daniel J Walsh wrote:
>
> On 07/21/2015 09:28 AM, Trevor Jay wrote:
>> On Tue, Jul 21, 2015 at 08:22:50AM -0400, Daniel J Walsh wrote:
>>> Yes we actually recommend using something like
>>>
>>> docker run -ti -v /:/host -v /run:/run -v /dev:/dev --privileged fedora
>>> /bin/sh
>>>
>>> And then you can add stuff like
>>> --net=host --pid=host --ipc=host
>>>
>>> And you slowly end up where only /usr inside your container is separate
>>> from the host system.
>>>
>> Yup. On the other end of the spectrum: if all you want to do is start and stop services with systemctlin a container, you can usually get by with:
>>
>>  -v /run/dbus:/var/run/dbus -v /run/systemd:/var/run/systemd 
>>
>> And you don't even need --privileged. Of course, there's a whole world in-between the two approaches.
Right, we'd rather use as few privileges as possible.  Access to systemd
= access to everything in  our mind, so maybe that should suffice. 
Direct docker access is just convenience but of the kind one can't live
without.  I think context is important.  We are running bare metal
machines with Atomic on them.  There would be nothing on the hosts if we
could help it.  For now etcd and flannel are on the hosts.  Other than
that everything goes to containers.  So, we're not really looking to be
on the host while in a container.  No super privilege, rather, we want
to control all those containers running on it.  Storage is another one.

It's a very informative discussion. Thank you for your insight.  Atomic
will probably continue evolving away from standard distros.
>>
>> It all depends on exactly what you're looking to do. strace is your friend. :)
>>
>> _Trevor
>>
> Well SELinux might get in the way of the no privileged part.  (At least
> it should).
>
>
>
>