Docker Image Storage - LVM Thinpool


Where should I store my Docker images?

In RHEl 7 or CentOS 7, the default Docker configuration uses devicemapper with loopback. This works perfect for testing or in a development environment...it's a bad idea for production.

Note: RHEL/CentOS Atomic Hosts are pre-configured for dedicated pools.

Steps

Edit the /etc/sysconfig/docker-storage-setup.

# vi /etc/sysconfig/docker-storage-setup

Add the following parameters to the /etc/sysconfig/docker-storage-setup file.

#STORAGE_DRIVER
#DEVS=/dev/sdd
VG=dockervg
GROWPART=enable
AUTO_EXTEND_POOL=enable
MIN_DATA_SIZE=8G
POOL_AUTOEXTEND_THRESHOLD=60
POOL_AUTOEXTEND_PERCENT=10

Stop Docker.

# systemctl stop docker

Remove any existing docker storage configuration file.

# rm -f /etc/sysconfig/docker-storage

Remove existing Docker location.

 # rm -f /var/lib/docker

Create a physical volume--in this example, /dev/sdd (and it is 20GB). Use the pvs and/or the fdisk -l command to verify you are working with the correct device/disk.

# pvcreate /dev/sdd

Create a volume group (i.e. dockervg). Volume group name must be the same name you specified in the /etc/sysconfig/docker-storage-setup file under the VG parameter.

# vgcreate dockervg /dev/sdd

Run the docker-storage-setup configuration tool.

# /bin/docker-storage-setup

Run the lvs command to check things out.

# lvs
LV          VG       Attr       LSize  Pool Origin Data%  Meta%  Move Log Cpy%Sync
docker-pool dockervg twi-a-t---  8.00g             0.00   0.16   

Now we have a 8GB LVM thinpool for our Docker images. Wait...I thought the disk was 20GB.

Let's extend it. Run the vgdisplay command to check how much space is left in the volume group. In my case...3059 Extents are free

# vgdisplay dockervg
  --- Volume group ---
  ...
  Free  PE / Size       3059 / 12.00 GB

Now extend.

lvextend -l +3059 /dev/dockervg/docker-pool

Run the lvs command again.

# lvs
LV          VG       Attr       LSize  Pool Origin Data%  Meta%  Move Log Cpy%Sync
docker-pool dockervg twi-a-t--- 19.95g             0.16   0.24 

Much better.

Crank Docker back up.

# systemctl start docker

Finally, verify.

# docker info
...
Storage Driver: devicemapper
Pool Name: dockervg-docker--pool
Pool Blocksize: 524.3 kB
Base Device Size: 10.74 GB
Backing Filesystem: xfs
Data file: 
Metadata file: 
Data Space Used: 34.6 MB
Data Space Total: 21.42 GB
Data Space Available: 21.39 GB
Metadata Space Used: 61.44 kB
Metadata Space Total: 25.17 MB
Metadata Space Available: 25.1 MB
Thin Pool Minimum Free Space: 2.142 GB
Udev Sync Supported: true
Deferred Removal Enabled: true
Deferred Deletion Enabled: false
Deferred Deleted Device Count: 0
Library Version: 1.02.135-RHEL7 (2016-11-16)

Naturally, you will want to keep your LVM thinpool "lean and clean". Check out How to delete unused Docker images for more details.

Using systemd to start Docker containers


Scenario

You want to automatically start Docker containers at boot and/or you wish to give your system administrators a familiar way to start and stop Docker containers using the systemctl command.

Prerequisites

You have a Docker container running with a unique name (i.e. my-web-server).

# docker run -d --name my-web-server --restart-always -p 80:80 -v /mnt/my-web-server-logs:/var/logs rhscl/httpd-24-rhel7

Step #1

Create a system service unit file as root in the "/etc/systemd/system" directory.

# vi /etc/systemd/system/docker-my-web-server.service

Add the following contents to the "docker-my-web-server.service" unit file.

[Unit]
Description=My Web Server Docker Container
Requires=docker.service
After=docker.service

[Service]
Restart=always
ExecStart=/usr/bin/docker start -a my-web-server
ExecStop=/usr/bin/docker stop -t 2 my-web-server

[Install]
WantedBy=default.target

Step #2

Change the permissions of the unit file.

# chmod 664 /etc/systemd/system/docker-my-web-server.service

Step #3

Reload systemd.

# systemctl daemon-reload

Step #4

Enable new service to start at boot.

# systemctl enable docker-my-web-server.service

Start/Stop new service using systemctl

# systemctl stop docker-my-web-server.service
# systemctl start docker-my-web-server.service

For additional information on using systemd to start and stop Docker containers, visit Red Hat's documentation regarding Creating Custom Unit Files or Docker's documentation Automatically start containers.

Security scan a RHEL7 Docker image & container


Scenario

You have a running Docker environment with a RHEL7 base image downloaded and running. The security folks are breathing down your neck for proof that the Docker images and containers are safe. Your challenge...prove it.

We will utilize the Open-Source Security Content Automation Protocol (OSCAP) tool specifically for Docker (oscap-docker).

We will install the packages provided through the Red Hat/CentOS channels but the packages are available at the link below if you prefer to download it direct.
https://github.com/OpenSCAP/container-compliance

Prerequisites

Install the openscap-utils package which contains the oscap-docker command.

# yum install openscap-utils -y

Additionally, install the SCAP Security Guide which provides predefined security policies (i.e. PCI DSS). You can also create custom security policies if you wish.

# yum install scap-security-guide -y

Create a directory where to store your scan results.

# mkdir /oscap

CVE Scans

Perform a Common Vulnerabilities and Exposures (CVE) scan of a Docker image.

# oscap-docker image-cve myprivatedockerregistry:5000/mydockerimage --results /oscap/mydockerimage-results-cve.xml --report /oscap/mydockerimage-report-cve.html

Perform the same CVE scan of a container.

# oscap-docker container-cve mycontainer --results /oscap/mycontainer-results-cve.xml --report /oscap/mycontainer-report-cve.html

PCI DSS Scans

Perform a Payment Card Industry Data Security Standard (PCI DSS) scan of a Docker image.

oscap-docker image myprivatedockerregistry:5000/mydockerimage xccdf eval --results /oscap/mydockerimage-results-pci-dss.xml --report /oscap/mydockerimage-report-pci-dss.html --profile xccdf_org.ssgproject.content_profile_pci-dss /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Perform the same PCI DSS scan of a container.

oscap-docker container mycontainer xccdf eval --results /oscap/mycontainer-results-pci-dss.xml --report /oscap/mycontainer-report-pci-dss.html --profile xccdf_org.ssgproject.content_profile_pci-dss /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

The oscap-docker command uses the same switches and parameters as the oscap command.

For additional information, check the man page.

# man oscap-docker

I highly recommend patching your Docker image before running the scans (primarily the CVE scan). An all "green" scan equals a happy security department. To learn how to patch RHEL7 Docker images, click here.

Docker syslog driver to local facility


Scenario

You have Docker installed and want to send your Docker logs (default is json-file) to a local syslog facility (i.e. local6).

You can use the --log-driver=VALUE with the docker run command to configure the container’s logging driver or you can set the parameter globally in the docker daemon configuration file. This is useful when using container orchestration such as Kubernetes or Apache Mesos.

Step #1

Edit the docker configuration file (/etc/sysconfig/docker on RHEL/CentOS based systems).

# vi /etc/sysconfig/docker

Add the log driver parameter (--log-driver=syslog --log-opt syslog-facility=local6 --log-level=warn) to the OPTIONS line.

# /etc/sysconfig/docker

# Modify these options if you want to change the way the docker daemon runs
OPTIONS='--selinux-enabled --log-driver=syslog --log-opt syslog-facility=local6 --log-level=warn'

DOCKER_CERT_PATH=/etc/docker

# If you want to add your own registry to be used for docker search and docker
# pull use the ADD_REGISTRY option to list a set of registries, each prepended
# with --add-registry flag. The first registry added will be the first registry
# searched.
ADD_REGISTRY=''

# If you want to block registries from being used, uncomment the BLOCK_REGISTRY
# option and give it a set of registries, each prepended with --block-registry
# flag. For example adding docker.io will stop users from downloading images
# from docker.io
# BLOCK_REGISTRY='--block-registry'

# If you have a registry secured with https but do not have proper certs
# distributed, you can tell docker to not look for full authorization by
## adding the registry to the INSECURE_REGISTRY line and uncommenting it.
INSECURE_REGISTRY=''

# On an SELinux system, if you remove the --selinux-enabled option, you
# also need to turn on the docker_transition_unconfined boolean.
# setsebool -P docker_transition_unconfined 1

# Location used for temporary files, such as those created by
# docker load and build operations. Default is /var/lib/docker/tmp
# Can be overriden by setting the following environment variable.
# DOCKER_TMPDIR=/var/tmp

# Controls the /etc/cron.daily/docker-logrotate cron job status.
# To disable, uncomment the line below.
# LOGROTATE=false

Restart the docker daemon.

# systemctl restart docker

Step #2

Configure the syslog daemon to listen on local6 and write logs to specified location.

Create a new file in /etc/rsyslog.d called docker.conf.

# vi /etc/rsyslog.d/docker.conf

Add the following line to the /etc/rsyslog.d/docker.conf file.

local6.*    -/var/log/docker/docker.log

Make sure that /var/log/docker exists.

# mkdir /var/log/docker

Restart the rsyslog daemon

# systemctl restart rsyslog

Start a Docker container or two. You will be now able to view all Docker logs in /var/log/docker/docker.log.

For additional information on configuring Docker's logging drivers, please visit https://docs.docker.com/engine/admin/logging/overview.

Experiences patching a RHEL 7.1 base Docker image


Scenario

You have Docker installed on a host system and you want to deploy a patched Red Hat Enterprise Linux base Docker image. I have presented two options and have shown several challenges that I had to overcome.


Option #1

Start an interactive shell into a RHEL 7.1 docker container.

# docker run -it registry.access.redhat.com/rhel7.1 bash

Run yum update inside the container.

 [root@0e439b6c0ec6 /]# yum update -y
Loaded plugins: product-id, subscription-manager

https://mysatelliteserver/pulp/repos/myorganization/myenvironment/mycontentview/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.


 One of the configured repositories failed (Red Hat Enterprise Linux 7 Server (RPMs)),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Disable the repository, so yum won't use it by default. Yum will then
        just ignore the repository until you permanently enable it again or use
        --enablerepo for temporary usage:

            yum-config-manager --disable rhel-7-server-rpms

     4. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:

            yum-config-manager --save --setopt=rhel-7-server-rpms.skip_if_unavailable=true

failure: repodata/repomd.xml from rhel-7-server-rpms: [Errno 256] No more mirrors to try.

https://mysatelliteserver/pulp/repos/myorganization/myenvironment/mycontentview/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml: [Errno 14] HTTPS Error 404 - Not Found

Ugh! We hit an error. If you encounter the same error, then you need to specify the Red Hat release version using the "--releasever" yum parameter. See below.

[root@0e439b6c0ec6 /]# yum update -y --releasever=7.1
 Loaded plugins: product-id, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package bash.x86_64 0:4.2.46-12.el7 will be updated
 ...
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Importing GPG key 0xFD431D51:
 Userid     : "Red Hat, Inc. (release key 2) <security@redhat.com>"
 Fingerprint: 567e 347a d004 4ade 55ba 8a5f 199e 2f91 fd43 1d51
 Package    : redhat-release-server-7.1-1.el7.x86_64 (@koji-override-1/7.0)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Importing GPG key 0x2FA658E0:
 Userid     : "Red Hat, Inc. (auxiliary key) <security@redhat.com>"
 Fingerprint: 43a6 e49c 4a38 f4be 9abf 2a53 4568 9c88 2fa6 58e0
 Package    : redhat-release-server-7.1-1.el7.x86_64 (@koji-override-1/7.0)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Running transaction check
Running transaction test


Transaction check error:
  file /usr/lib64/libsystemd-daemon.so.0 from install of systemd-libs-219-19.el7.x86_64 conflicts with file from package systemd-container-libs-208.20-6.el7.x86_64
  file /usr/lib64/libsystemd-id128.so.0 from install of systemd-libs-219-19.el7.x86_64 conflicts with file from package systemd-container-libs-208.20-6.el7.x86_64
  file /usr/lib64/libsystemd-journal.so.0 from install of systemd-libs-219-19.el7.x86_64 conflicts with file from package systemd-container-libs-208.20-6.el7.x86_64
  file /usr/lib64/libsystemd-login.so.0 from install of systemd-libs-219-19.el7.x86_64 conflicts with file from package systemd-container-libs-208.20-6.el7.x86_64
  file /usr/lib64/libudev.so.1 from install of systemd-libs-219-19.el7.x86_64 conflicts with file from package systemd-container-libs-208.20-6.el7.x86_64
  file /usr/lib64/security/pam_systemd.so from install of systemd-libs-219-19.el7.x86_64 conflicts with file from package systemd-container-libs-208.20-6.el7.x86_64

Error Summary
-------------

Again, we hit another error. This error is a known Red Hat Bug (1284056). The good news is that there is a work around.

[root@0e439b6c0ec6 /]# yum --releasever=7.1 swap -y -- remove systemd-container\* -- install systemd systemd-libs
 Loaded plugins: product-id, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package systemd.x86_64 0:219-19.el7 will be installed
...
 Complete!
 [root@0e439b6c0ec6 /]# yum update -y --releasever=7.1
 Loaded plugins: product-id, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package bash.x86_64 0:4.2.46-12.el7 will be updated
...
 Complete!

Bingo! A completely patched RHEL 7.1 Docker image. The final step is to commit the changes. Exit your running container by typing "exit" and then run a docker commit command.

# docker commit 0e439b6c0ec6 myprivatedockerregistry:5000/rhel7.1-patched

Golden! And the security department is happy!!


Option #2

Now for the easy way. Create a Dockerfile with the below contents.

FROM registry.access.redhat.com/rhel7.1

RUN yum clean all && \
    yum --releasever=7.1 swap -y -- remove systemd-container\* -- install systemd systemd-libs && \
    yum update -y --releasever=7.1 && \
    yum clean all

Run the docker build command and you're done!

# docker build -t myprivatedockerregistry:5000/rhel7.1-patched .