The above linked Editorial discussed similarities between obsolescence and abstraction. The Editorial traced these similarities all the way from hardware to the modern web.
Docker was mentioned in the Editorial as an important method of operating system abstraction. Docker containerization allows running the same software in very different operating system environments.
For Low End LOLs it seemed a fun project to try getting CapRover driven one-click web installs going on the world’s oldest living Linux distribution, Slackware.
Docker makes available Linux static binaries for both the Docker daemon and the Docker client. Static binaries also were mentioned in the above linked Editorial as another method of distribution agnosticism. So here we are, using one method of abstraction, static binaries, to install yet another method of abstraction, Docker, for the purpose of installing a third method of abstraction, CapRover. LOL!
Reasons Not To Do This In Real Life!
Docker warns us against the binary install method for production systems:
We do not recommend installing Docker using binaries in production environments as they will not be updated automatically with security updates. The Linux binaries described on this page are statically linked, which means that vulnerabilities in build-time dependencies are not automatically patched by security updates of your Linux distribution.
Let’s check our latest Slackware64-current OS to see whether Slackware64-current satisfies all of the prerequisites for a 64 bit binary install of Docker.
root@darkstar:~# getconf LONG_BIT
Linux kernel version 3.10 or higher
root@darkstar:~# uname -r
Iptables version 1.4 or higher
root@darkstar:~# iptables --version
iptables v1.8.8 (legacy) ✅
Git version 1.7 or higher
root@darkstar:~# git --version
git version 2.36.1 ✅
A ps executable
root@darkstar:~# ps --version
ps from procps-ng 3.3.17 ✅
XZ utilities version 3.9 or higher
root@darkstar:~# xz --version
xz (XZ Utils) 5.2.5 ✅
Properly mounted cgroupfs hierarchy
root@darkstar:~# ls /proc/cgroups
root@darkstar:~# ls /sys/fs | grep cgroup
root@darkstar:~# ls /sys/fs/cgroup/
blkio/ cpuacct/ devices/ freezer/ misc/ net_prio/ pids/
cpu/ cpuset/ elogind/ memory/ net_cls/ perf_event/ systemd@
root@darkstar:~# mountpoint /sys/fs/cgroup
/sys/fs/cgroup is a mountpoint
root@darkstar:~# cat /proc/cgroups
#subsys_name hierarchy num_cgroups enabled
cpuset 1 1 1
cpu 2 1 1
cpuacct 3 1 1
blkio 4 1 1
memory 5 1 1
devices 6 1 1
freezer 7 1 1
net_cls 8 1 1
perf_event 9 1 1
net_prio 10 1 1
pids 11 1 1
misc 12 1 1
root@darkstar:~# cat /sys/fs/cgroup/memory/memory.use_hierarchy
Apparmor And SELinux
Neither Apparmor nor SELinux seems to be installed in the default Slackware64-current. But neither of these are Docker prerequisites. Also, both could be less necessary in a Lab environment like Darkstar than in a production system.
root@darkstar:~# cat /sys/kernel/security/apparmor/profiles
cat: /sys/kernel/security/apparmor/profiles: No such file or directory
-bash: sestatus: command not found
Docker Daemon Security
root@darkstar:~# ls /boot/config
root@darkstar:~# file /boot/config
/boot/config: symbolic link to config-huge-5.17.7.x64
root@darkstar:~# grep CONFIG_SECCOMP= /boot/config
Remapping Docker containers to run as unprivileged users is a method of preventing privilege escalation attacks from inside containers. The idea is to remap container user IDs to unprivileged host IDs. The remapping is done by Linux namespaces which are configured in /etc/subuid and /etc/subgid. Neither of these files exist in the default Slackware64-current distribution.
root@darkstar:~# ls /etc/subuid /etc/subgid
/bin/ls: cannot access '/etc/subuid': No such file or directory
/bin/ls: cannot access '/etc/subgid': No such file or directory
In Darkstar’s non-production Lab environment, we are less worried about privilege escalation attacks because most Darkstar users already have root privileges. Therefore, we are not installing user remapping for today’s test.
Setting Up Our Ability to Revert
Since we’re installing Docker from a non-Slackware source, and since the install is a binary produced by Docker, we’re going to put Docker in the /opt directory.
Paying attention to being able to revert probably is always a great idea even though there isn’t yet much in /opt:
root@darkstar:~# cd /
root@darkstar:/# ls -l | grep opt
drwxr-xr-x 2 root root 4096 Jun 10 2007 opt/
root@darkstar:/# ls opt
root@darkstar:/# tar cvf opt-revert.tar opt
root@darkstar:/# ls opt-revert.tar
root@darkstar:/# cd opt/
Downloading And Installing Docker Binaries
root@darkstar:/opt# time wget -q https://download.docker.com/linux/static/stable/x86_64/docker-20.10.16.tgz
root@darkstar:/opt# ls -lh
-rw-r–r– 1 root root 62M May 12 14:22 docker-20.10.16.tgz
root@darkstar:/opt# tar xvzf docker-20.10.16.tgz
root@darkstar:/opt# cd docker
containerd* containerd-shim-runc-v2* docker* docker-proxy* runc*
containerd-shim* ctr* docker-init* dockerd*
Does It Seem To Work?
root@darkstar:/opt/docker# export PATH=/opt/docker:$PATH
root@darkstar:/opt/docker# docker run hello-world
[ , , , ]
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
For more examples and ideas, visit:
[ . . . ]
Let’s try Ubuntu. :)
root@darkstar:/opt/docker# docker run -it ubuntu bash
Unable to find image 'ubuntu:latest' locally
latest: Pulling from library/ubuntu
125a6e411906: Pull complete
Status: Downloaded newer image for ubuntu:latest
[ . . . ]
root@261db2d76559:/# uname -a
Linux 261db2d76559 5.17.7 #1 SMP PREEMPT Thu May 12 12:45:55 CDT 2022 x86_64 x86_64 x86_64 GNU/Linux
root@261db2d76559:/# cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04 LTS"
VERSION="22.04 LTS (Jammy Jellyfish)"
On Slackware, two obvious alternatives to the Docker binary install include compiling everything from scratch and also using a package system such as Alien’s SlackBuilds or Pkgsrc. Another obvious alternative would be to install Docker in one of Darkstar’s KVM instances running, for example, Debian.
Besides Slackware, this binary Docker install ought to work on any Linux distribution which meets the prerequisites despite that binary Docker install isn’t recommended for production.
Yaaay! The Docker binary install seems to work on the world’s oldest living Linux distribution! <3 But will this Docker run CapRover and provide one-click web app installs? In a future article we will see! :)
The post Binary Docker For CapRover Web Installs On Any Linux Distribution! appeared first on LowEndBox.