Binary Docker For CapRover Web Installs On Any Linux Distribution!

Introduction


Docker logo


A recent Low End Box Editorial asked whether CapRover and the rise of one-click web installs has made Linux distributions obsolete.


The above linked Editorial discussed similarities between obsolescence and abstraction. The Editorial traced these similarities all the way from hardware to the modern web.


Docker was mentioned in the Editorial as an important method of operating system abstraction. Docker containerization allows running the same software in very different operating system environments.


Notably, Docker is a prerequisite for CapRover, our one-click install hero!


For Low End LOLs it seemed a fun project to try getting CapRover driven one-click web installs going on the world’s oldest living Linux distribution, Slackware.


Docker makes available Linux static binaries for both the Docker daemon and the Docker client. Static binaries also were mentioned in the above linked Editorial as another method of distribution agnosticism. So here we are, using one method of abstraction, static binaries, to install yet another method of abstraction, Docker, for the purpose of installing a third method of abstraction, CapRover. LOL!



Reasons Not To Do This In Real Life!


Docker warns us against the binary install method for production systems:


We do not recommend installing Docker using binaries in production environments as they will not be updated automatically with security updates. The Linux binaries described on this page are statically linked, which means that vulnerabilities in build-time dependencies are not automatically patched by security updates of your Linux distribution.


Docker Prerequisites


Let’s check our latest Slackware64-current OS to see whether Slackware64-current satisfies all of the prerequisites for a 64 bit binary install of Docker.


64-bit installation


root@darkstar:~# getconf LONG_BIT

64 ✅

root@darkstar:~#


Linux kernel version 3.10 or higher


root@darkstar:~# uname -r

5.17.7 ✅

root@darkstar:~#


Iptables version 1.4 or higher


root@darkstar:~# iptables --version

iptables v1.8.8 (legacy) ✅

root@darkstar:~#


Git version 1.7 or higher


root@darkstar:~# git --version

git version 2.36.1 ✅

root@darkstar:~#


A ps executable


root@darkstar:~# ps --version

ps from procps-ng 3.3.17 ✅

root@darkstar:~#


XZ utilities version 3.9 or higher


root@darkstar:~# xz --version

xz (XZ Utils) 5.2.5 ✅

liblzma 5.2.5

root@darkstar:~#


Properly mounted cgroupfs hierarchy


Please see https://github.com/tianon/cgroupfs-mount/blob/master/cgroupfs-mount.


root@darkstar:~# ls /proc/cgroups

/proc/cgroups

root@darkstar:~# ls /sys/fs | grep cgroup

cgroup/

root@darkstar:~# ls /sys/fs/cgroup/

blkio/ cpuacct/ devices/ freezer/ misc/ net_prio/ pids/

cpu/ cpuset/ elogind/ memory/ net_cls/ perf_event/ systemd@

root@darkstar:~# mountpoint /sys/fs/cgroup

/sys/fs/cgroup is a mountpoint

root@darkstar:~# cat /proc/cgroups

#subsys_name hierarchy num_cgroups enabled

cpuset 1 1 1

cpu 2 1 1

cpuacct 3 1 1

blkio 4 1 1

memory 5 1 1

devices 6 1 1

freezer 7 1 1

net_cls 8 1 1

perf_event 9 1 1

net_prio 10 1 1

pids 11 1 1

misc 12 1 1

root@darkstar:~# cat /sys/fs/cgroup/memory/memory.use_hierarchy

1 ✅

root@darkstar:~#


Apparmor And SELinux


Neither Apparmor nor SELinux seems to be installed in the default Slackware64-current. But neither of these are Docker prerequisites. Also, both could be less necessary in a Lab environment like Darkstar than in a production system.


root@darkstar:~# cat /sys/kernel/security/apparmor/profiles

cat: /sys/kernel/security/apparmor/profiles: No such file or directory

root@darkstar:~# sestatus

-bash: sestatus: command not found

root@darkstar:~#


Docker Daemon Security


Seccomp


Please see https://docs.docker.com/engine/security/seccomp/.


root@darkstar:~# ls /boot/config

/boot/config@

root@darkstar:~# file /boot/config

/boot/config: symbolic link to config-huge-5.17.7.x64

root@darkstar:~# grep CONFIG_SECCOMP= /boot/config

CONFIG_SECCOMP=y ✅

root@darkstar:~#


Namespaces


Please see https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-user-namespace-options.


Remapping Docker containers to run as unprivileged users is a method of preventing privilege escalation attacks from inside containers. The idea is to remap container user IDs to unprivileged host IDs. The remapping is done by Linux namespaces which are configured in /etc/subuid and /etc/subgid. Neither of these files exist in the default Slackware64-current distribution.


root@darkstar:~# ls /etc/subuid /etc/subgid

/bin/ls: cannot access '/etc/subuid': No such file or directory

/bin/ls: cannot access '/etc/subgid': No such file or directory

root@darkstar:~#


In Darkstar’s non-production Lab environment, we are less worried about privilege escalation attacks because most Darkstar users already have root privileges. Therefore, we are not installing user remapping for today’s test.


Setting Up Our Ability to Revert


Since we’re installing Docker from a non-Slackware source, and since the install is a binary produced by Docker, we’re going to put Docker in the /opt directory.


Paying attention to being able to revert probably is always a great idea even though there isn’t yet much in /opt:


root@darkstar:~# cd /

root@darkstar:/# ls -l | grep opt

drwxr-xr-x 2 root root 4096 Jun 10 2007 opt/

root@darkstar:/# ls opt

root@darkstar:/# tar cvf opt-revert.tar opt

opt/

root@darkstar:/# ls opt-revert.tar

opt-revert.tar

root@darkstar:/# cd opt/

root@darkstar:/opt#


Downloading And Installing Docker Binaries


root@darkstar:/opt# time wget -q https://download.docker.com/linux/static/stable/x86_64/docker-20.10.16.tgz


real 0m1.284s

user 0m0.246s

sys 0m0.333s

root@darkstar:/opt# ls -lh

total 62M

-rw-r–r– 1 root root 62M May 12 14:22 docker-20.10.16.tgz

root@darkstar:/opt# tar xvzf docker-20.10.16.tgz

docker/

docker/docker-init

docker/containerd

docker/ctr

docker/runc

docker/dockerd

docker/docker-proxy

docker/containerd-shim

docker/docker

docker/containerd-shim-runc-v2

root@darkstar:/opt# cd docker

root@darkstar:/opt/docker# ls

containerd* containerd-shim-runc-v2* docker* docker-proxy* runc*

containerd-shim* ctr* docker-init* dockerd*

root@darkstar:/opt/docker#


Does It Seem To Work?


root@darkstar:/opt/docker# export PATH=/opt/docker:$PATH

root@darkstar:/opt/docker# docker run hello-world


[ , , , ]


Hello from Docker!

This message shows that your installation appears to be working correctly.


To generate this message, Docker took the following steps:

1. The Docker client contacted the Docker daemon.

2. The Docker daemon pulled the "hello-world" image from the Docker Hub.

(amd64)

3. The Docker daemon created a new container from that image which runs the

executable that produces the output you are currently reading.

4. The Docker daemon streamed that output to the Docker client, which sent it

to your terminal.


To try something more ambitious, you can run an Ubuntu container with:

$ docker run -it ubuntu bash


Share images, automate workflows, and more with a free Docker ID:

https://hub.docker.com/


For more examples and ideas, visit:

https://docs.docker.com/get-started/


[ . . . ]


root@darkstar:/opt/docker#


Let’s try Ubuntu. :)


root@darkstar:/opt/docker# docker run -it ubuntu bash

Unable to find image 'ubuntu:latest' locally

latest: Pulling from library/ubuntu

125a6e411906: Pull complete

Digest: sha256:26c68657ccce2cb0a31b330cb0be2b5e108d467f641c62e13ab40cbec258c68d

Status: Downloaded newer image for ubuntu:latest


[ . . . ]


root@261db2d76559:/# uname -a

Linux 261db2d76559 5.17.7 #1 SMP PREEMPT Thu May 12 12:45:55 CDT 2022 x86_64 x86_64 x86_64 GNU/Linux

root@261db2d76559:/# cat /etc/os-release

PRETTY_NAME="Ubuntu 22.04 LTS"

NAME="Ubuntu"

VERSION_ID="22.04"

VERSION="22.04 LTS (Jammy Jellyfish)"

VERSION_CODENAME=jammy

ID=ubuntu

ID_LIKE=debian

HOME_URL="https://www.ubuntu.com/"

SUPPORT_URL="https://help.ubuntu.com/"

BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"

PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"

UBUNTU_CODENAME=jammy

root@261db2d76559:~#


Alternatives


On Slackware, two obvious alternatives to the Docker binary install include compiling everything from scratch and also using a package system such as Alien’s SlackBuilds or Pkgsrc. Another obvious alternative would be to install Docker in one of Darkstar’s KVM instances running, for example, Debian.


Besides Slackware, this binary Docker install ought to work on any Linux distribution which meets the prerequisites despite that binary Docker install isn’t recommended for production.


Conclusion


Yaaay! The Docker binary install seems to work on the world’s oldest living Linux distribution! <3 But will this Docker run CapRover and provide one-click web app installs? In a future article we will see! :)


The post Binary Docker For CapRover Web Installs On Any Linux Distribution! appeared first on LowEndBox.