Running Docker on ARM
3 likes1,751 views
This document discusses running Docker on ARM devices like the Raspberry Pi. It provides an overview of options for installing Docker on ARM, including using HypriotOS, an optimized Docker-focused OS, or installing on Raspbian. It also discusses the current state of Docker support for ARM architectures and addresses security issues like the "Dirty COW" vulnerability.
Running Docker on ARM
- 1. Dieter Reuter @Quintus23M Docker Captain & Docker Pirate Running Docker on ARM
- 2. Docker on ARM why? use cases current state Agenda HypriotOS release 1.0 just flash it Raspbian install Docker secure kernel
- 3. Docker on ARM - Why?
- 4. • Education, learn containers • Learning cloud principles • Hands-on cluster • Enable students & even kids (Raspberry Pi) • Use creativity to build the future of IoT devices Docker on ARM learn Docker on >10 millions cheap Raspberry Pi’s
- 6. • Docker 1.12.1 (Raspbian/Jessie, ARMv6) - Aug 18th • Docker 1.12.3 (Ubuntu/Trusty, ARMv7) - Oct 26th • Docker 1.13.0 (Debian/Jessie, ARMv7) - coming soon, Dec’16 • other Docker tools are available on ARM, too Current status Docker on ARM is widely available now!
- 7. HypriotOS Docker on ARM - the easy way
- 8. • 1.0.0 (Aug 18th) - Docker Engine 1.12.1 (officially build by Docker CI) - 232MB instead of 504MB download • 1.0.1 (Sep 2nd) - enable Kubernetes (cgroup_enable=cpuset) • 1.1.0 (Oct 12th) - Docker Engine 1.12.2 • 1.1.1 (Nov 14th) - Kernel 4.4.27 (security fix, Dirty COW) - Docker Engine 1.12.3 HypriotOS - 1.x
- 9. For Linux and Mac Small helper script to do all these in just one command: • Download the SD card image • Uncompress it • Set hostname for device • Optionally set WiFi config HypriotOS - just flash it
- 10. Flash HypriotOS $ flash --hostname black-pearl --ssid wifipsk --password wifipwd https://github.com/hypriot/image-builder-rpi/releases/ download/v1.1.1/hypriotos-rpi-v1.1.1.img.zip
- 11. Find your Pi $ ping black-pearl.local # or (depends on your network router) $ ping black-pearl
- 12. Add your SSH key $ ssh-add $ ssh-keygen -R black-pearl.local # HypriotOS: username=pirate, password=hypriot $ ssh-copy-id pirate@black-pearl.local
- 13. Raspbian install Docker the official way
- 14. already enabled for using Docker You can use use LITE and Desktop versions of Raspbian • Kernel comes with essential modules for Docker • it’s not completely optimised, but… • …Docker works quite OK on Raspbian • install Docker with a single command Raspbian
- 15. Flash Raspbian # download Raspbian from https://www.raspberrypi.org/downloads/raspbian/ # of flash it directly $ flash http://director.downloads.raspberrypi.org/raspbian/images/ raspbian-2016-09-28/2016-09-23-raspbian-jessie.zip
- 16. Find your Pi $ ping raspberrypi.local # or (depends on your network router) $ ping raspberrypi
- 17. Add your SSH key $ ssh-add $ ssh-keygen -R raspberrypi.local # Raspbian: username=pi, password=raspberry $ ssh-copy-id pi@raspberrypi.local
- 18. install Docker the official way $ curl -sSL https://get.docker.com/ | sh # add user ‘pi’ to group ‘docker’ $ sudo usermod -aG docker pi
- 19. Dirty COW • Docker Container Escape https://blog.paranoidsoftware.com/ dirty-cow-cve-2016-5195-docker- container-escape/ • Race condition in Linux arising from how Copy-On-Write is handled by the kernel's memory subsystem's use of private mappings.
- 20. Fix Dirty COW, please! # details see https://blog.hypriot.com/post/fix-dirty-cow-on-raspberry-pi/ $ sudo apt-get update $ sudo apt-get install raspberrypi-kernel # reboot your Raspberry Pi !!!
- 21. …stopped Container Breakout $ docker run --rm hypriot/rpi-dirtycow Unable to find image 'hypriot/rpi-dirtycow:latest' locally latest: Pulling from hypriot/rpi-dirtycow 38070c4d0c33: Pull complete a3ed95caeb02: Pull complete 2d2e2d46b9b5: Pull complete Digest: sha256:065d979dd3c48e6488044206ec782628ecf241ef02104610c076949d9881ad0d Status: Downloaded newer image for hypriot/rpi-dirtycow:latest Test for Dirty Cow: $ echo "You are SAFE! " > foo $ chmod 404 foo $ ./dirtyc0w foo "You are VULNERABLE!!!" & $ sleep 2 $ cat foo You are SAFE!