#docker

/

      • wilmoore-ops joined the channel
      • brianm
        if just transcoding, assuming you have a budget, use one of the transcoding-as-a-service companies
      • adamjt has quit
      • mcoffee
        brianm: merging WebM video with WAVE sounds.
      • brianm
        no idea about an alt
      • but docker is a great way to deploy once you get it working :-)
      • mcoffee
        brianm: yep, from the looks of it Docker does seem promising. However, someone pointed out that I need a minimum kernel version. 3.8+ that is.
      • brianm
        today yeah
      • which is hard in some places
      • bspang has left the channel
      • gotta run :-(
      • brianm has quit
      • mcoffee
        brianm: but hey thanks.
      • shiranaihito has quit
      • derferman
        how do I export an image I build using a Dockerfile?
      • do I have to start a container and then export that?
      • wilmoore-ops has quit
      • smathieu_ joined the channel
      • cookednoodles has quit
      • kencochrane joined the channel
      • cmars232 has quit
      • smathieu has quit
      • arothfusz
        derferman: I have only gotten `docker export` to work with a container (vs an image)
      • I don't know what the expected usage is (like, why wouldn't I want to export an image?)
      • derferman
        yeah, it seems strange
      • especially since docker build creates an image
      • my workflow right now is: docker build -> docker export -> host image on s3
      • because I don't want to setup a private index yet
      • arothfusz
        I wonder if it needs to export from a container because it needs a read/write layer? Not sure. Could just be an oversight.
      • If you need it, file it as a bug/enhancement
      • (after searching to see if it is already requested)
      • natea joined the channel
      • cduez_ has quit
      • dm73 has left the channel
      • brye has quit
      • Mistobaan has quit
      • patcito has quit
      • kstaken joined the channel
      • amyers joined the channel
      • thrashr888 joined the channel
      • cezary has quit
      • YannisP has quit
      • natea has quit
      • kalessin has quit
      • dscape
        anyone has a clue why i could get a Connection refused on curl localhost:5984 after expose 5984 and -p 5984 ?
      • frenchtoast has quit
      • dsissitka
        dscape: Host Port != Container Port
      • 5984 is the container port you've exposed.
      • You can specify a host port with -p (Host Port):(Container Port).
      • Or see what port was randomly assigned with "docker ps" or "docker port (Container) (Container Port)".
      • aledbf has quit
      • dscape
        thanks dsissitka
      • mattmueller has quit
      • dsissitka: you are a genius
      • i was wondering how this was done
      • BRMatt has quit
      • thrashr888 has quit
      • gaffo
        so I'm working on some howto blog posts on using docker for development. I'd love for people to tell me where I'm being stupid: http://blog.confabulus.com/2013/07/30/developin...
      • I'm doing it while learning so I'm sure I'm being stupid
      • smathieu_ has quit
      • jpetazzo
        not necessarily :-)
      • smathieu joined the channel
      • dsissitka
        The -t in docker run isn't for tag.
      • akipp has quit
      • ekidd joined the channel
      • mcoffee has quit
      • ekidd
        What's a good address for reporting security holes in Docker?
      • xmltok has quit
      • Do I just chuck 'em in github issues at this point, or is there an official security team that I can notify privately.
      • Wessie has quit
      • aledbf joined the channel
      • r04r is now known as r04r|away
      • Wessie joined the channel
      • mcclurmc has quit
      • Joel_re joined the channel
      • dsissitka
        Might be worth bugging one of the dotCloud folks. shykes?
      • belak has quit
      • shykes
        hey - yeah just open an issue
      • mboersma has quit
      • docker is not yet advertised as production-ready
      • kencochrane has quit
      • mboersma joined the channel
      • ekidd
        This is a really easy escalation from a regular user on the host system to root on the host system, using Docker's containerized root account to boost my privs.
      • shykes
        or if you really feel it needs to be kept quiet and prefer to ping me privately, feel free, just use your best judgement
      • from non-root inside the container, to root inside the same container?
      • or from non-root on the host, to root inside a container
      • ekidd
        Non-root on the host to root on the host.
      • Once docker is installed, any host user can escalate to root.
      • dockerbot joined the channel
      • dockerbot
        [docker] steeve opened pull request #1368: Handle ip route showing mask-less IP addresses (master...patch-1) http://git.io/XCeNMg
      • dockerbot has left the channel
      • ekidd
        shykes: It's stupidly simple. I'll msg you
      • shykes
        right, that's known behavior, but it can't hurt to make it more clear in the docs
      • the remote api listens on 127.0.0.1 by default so any process on the host can control docker
      • weehuy has quit
      • ekidd
        As you can see, there's no need to touch the daemon.
      • shykes
        'docker run' always talks to the daemon
      • ekidd
        Well, fair enough.
      • I found it rather surprising, in any case.
      • shykes
        if the docker dameon is configured to listen on a unix socket, with proper permissions on the unix socket, then you can restrict access to certain users on the host
      • berto-
        what is the right way of exporting an image? i just did `docker run <image> echo; docker ps -a | head; docker export <id from ps> > foo.tar` … seems dirty. :-P
      • shykes
        but in any case, if you're allowed to docker run, you can get root access on the host, that's correct
      • docker cannot handle multi-tenant administration on its own, at least not currently
      • ekidd: at the very least we should make that clearer in the docs
      • ekidd
        shykes: I'm happy to report it as an issue.
      • shykes
        ekidd: I was going to ask if you felt like making a pull request to add the warning in the docs :)
      • dsissitka
        berto-: At the moment you can't export images. Maybe +1 https://github.com/dotcloud/docker/issues/349?
      • shykes
        but otherwise, an issue is also good
      • rsampaio_ joined the channel
      • ekidd
        Yeah, it seems like it's worth reporting in the docs pretty prominently. It means that a dev laptop with docker installed gets a free, passwordless su.
      • josephholsten joined the channel
      • dsissitka
        So, to confirm, Docker isn't giving unprivileged users unrestricted root access? Just what's exposed by the CLI?
      • Joel_re_ joined the channel
      • s/CLI/API/ even.
      • ekidd
        dsissitka: Anyone who can call 'docker run' successfully can get root trivially. The command-line fits in a tweet.
      • I'll report an issue shortly.
      • berto-
        dsissitka: thanks.
      • shykes
        yeah that is a problem
      • I guess it was made more acute by allowing external bind-mounts
      • dsissitka
        Ah
      • Joel_re has quit
      • kstaken has quit
      • Joel_re_ has quit
      • aledbf has quit
      • mmilano joined the channel
      • Joel_re joined the channel
      • thrashr888 joined the channel
      • skorfmann joined the channel
      • kstaken joined the channel
      • jfoy has quit
      • smathieu has quit
      • derferman has quit
      • garrettux joined the channel
      • akipp joined the channel
      • dablitz has quit
      • kstaken has quit
      • dablitz joined the channel
      • Ahhh, I thought you were just going to mount /etc and modify shadow. Nice.
      • thrashr888 has quit
      • garrettux has quit
      • shykes
        I think mount -o nosuid will take care of this particular exploit. But then you can still modify file contents
      • mboersma has quit
      • mboersma joined the channel
      • kstaken joined the channel
      • calavera has quit
      • mdaniel has left the channel
      • shykes has quit
      • kstaken has quit
      • muloka has quit
      • aledbf joined the channel