info about running docker-slim in containers and cleanup

Bharadwajshivam28 · Nov 15, 2019 · 6f727c1 · 6f727c1
1 parent 8b46e57
commit 6f727c1
Show file tree

Hide file tree

Showing 8 changed files with 55 additions and 16 deletions.
diff --git a/README.md b/README.md
@@ -94,6 +94,7 @@ Note: The examples are in a separate repository: [https://github.com/docker-slim
   - [ORIGINAL DEMO VIDEO](#original-demo-video)
   - [DEMO STEPS](#demo-steps)
   - [USAGE DETAILS](#usage-details)
+  - [RUNNING CONTAINERIZED](#running-containerized)
   - [DOCKER CONNECT OPTIONS](#docker-connect-options)
   - [HTTP PROBE COMMANDS](#http-probe-commands)
   - [DEBUGGING MINIFIED CONTAINERS](#debugging-minified-containers)
@@ -257,6 +258,8 @@ Global options:
 * `--tls-verify` - do TLS verification
 * `--tls-cert-path` - path to TLS cert files
 * `--state-path value` - DockerSlim state base path (must set it if the DockerSlim binaries are not in a writable directory!)
+* `--archive-state` - Archives DockerSlim state to the selected Docker volume (default volume - `docker-slim-state`). By default, enabled when DockerSlim is running in a container (disabled otherwise). Set it to `off` to disable explicitly.
+* `--in-container` - Set it to true to explicitly indicate that DockerSlim is running in a container (if it's not set DockerSlim will try to analyze the environment where it's running to determine if it's containerized)
 
 To get more command line option information run `docker-slim` without any parameters or select one of the top level commands to get the command-specific information.
 
@@ -274,7 +277,7 @@ To disable the version checks set the global `--check-version` flag to `false` (
 * `--show-clogs` - show container logs (from the container used to perform dynamic inspection)
 * `--show-blogs` - show build logs (when the minified container is built)
 * `--"copy-meta-artifacts` - copy meta artifacts to the provided location
-* `--remove-file-artifacts` - remove file artifacts when command is done (note: you'll loose autogenerated Seccomp and Apparmor profiles)
+* `--remove-file-artifacts` - remove file artifacts when command is done (note: you'll loose autogenerated Seccomp and Apparmor profiles unless you copy them with the `copy-meta-artifacts` flag or if you archive the state)
 * `--tag` - use a custom tag for the generated image (instead of the default: `<original_image_name>.slim`)
 * `--entrypoint` - override ENTRYPOINT analyzing image
 * `--cmd` - override CMD analyzing image
@@ -309,6 +312,19 @@ The `--from-dockerfile` option makes it possible to build a new minified image d
 
 The `--use-local-mounts` option is used to choose how the `docker-slim` sensor is added to the target container and how the sensor artifacts are delivered back to the master. If you enable this option you'll get the original `docker-slim` behavior where it uses local file system volume mounts to add the sensor executable and to extract the artifacts from the target container. This option doesn't always work as expected in the dockerized environment where `docker-slim` itself is running in a Docker container. When this option is disabled (default behavior) then a separate Docker volume is used to mount the sensor and the sensor artifacts are explicitly copied from the target container.
 
+## RUNNING CONTAINERIZED
+
+The current version of `docker-slim` is able to run in containers. It will try to detect if it's running in a containerized environment, but you can also tell `docker-slim` explicitly using the `--in-container` global flag.
+
+You can run `docker-slim` in your container directly or you can use the `docker-slim` container in your containerized environment. If you are using the `docker-slim` container make sure you run it configured with the Docker IPC information, so it can communicate with the Docker daemon. The most common way to do it is by mounting the Docker unix socket to the `docker-slim` container. Some containerized environments (like Gitlab and their `dind` service) might not expose the Docker unix socket to you, so you'll need to make sure the environment variables used to communicate with Docker (e.g., `DOCKER_HOST`) are passed to the `docker-slim` container.
+
+When `docker-slim` runs in a container it will attempt to save its execution state in a separate Docker volume. If the volume doesn't exist it will try to create it (`docker-slim-state`, by default). You can pick a different state volume or disable this behavior completely by using the global `--archive-state` flag. If you do want to persist the `docker-slim` execution state (which includes the `seccomp` and `AppArmor` profiles) without using the state archiving feature you can mount your own volume that maps to the `/bin/.docker-slim-state` directory in the `docker-slim` container.
+
+By default, `docker-slim` will try to create a Docker volume for its sensor unless one already exists. If this behavior is not supported by your containerized environment you can create a volume separately and pass its name to `docker-slim` using the `--use-sensor-volume` flag.
+
+Here's an example of how to use the containerized version of `docker-slim`: 
+`docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock dslim/docker-slim build my/sample-python-app-standard`
+
 ## DOCKER CONNECT OPTIONS
 
 If you don't specify any Docker connect options `docker-slim` expects to find the following environment variables: `DOCKER_HOST`, `DOCKER_TLS_VERIFY` (optional), `DOCKER_CERT_PATH` (required if `DOCKER_TLS_VERIFY` is set to `"1"`)

diff --git a/build/package/docker/tmp_build.command → build/package/docker/build.sh b/build/package/docker/tmp_build.command → build/package/docker/build.sh
@@ -1,10 +1,6 @@
 #!/usr/bin/env bash
 
-here="$(dirname "$BASH_SOURCE")"
-cd $here
-echo `pwd`
-ls -lh
+set -e
 
 docker build -t docker-slim -f Dockerfile ../../..
 
-
diff --git a/build/package/docker/dockerhub_publish.sh b/build/package/docker/dockerhub_publish.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+set -e
+
+SOURCE="${BASH_SOURCE[0]}"
+while [ -h "$SOURCE" ] ; do SOURCE="$(readlink "$SOURCE")"; done
+BDIR="$( cd -P "$( dirname "$SOURCE" )/../../.." && pwd )"
+
+TAG="current"
+pushd $BDIR
+if hash git 2>/dev/null && [ -e $BDIR/.git ]; then
+  TAG="$(git describe --tags)"
+fi
+popd
+
+docker tag docker-slim dslim/docker-slim:$TAG
+docker tag docker-slim dslim/docker-slim
+docker push dslim/docker-slim:$TAG
+docker push dslim/docker-slim
diff --git a/build/package/docker/mac/build.command b/build/package/docker/mac/build.command
@@ -0,0 +1,6 @@
+here="$(dirname "$BASH_SOURCE")"
+cd $here/..
+./build.sh
+
+
+
diff --git a/build/package/docker/mac/dockerhub_login.command b/build/package/docker/mac/dockerhub_login.command
@@ -0,0 +1,5 @@
+here="$(dirname "$BASH_SOURCE")"
+cd $here
+
+docker login
+
diff --git a/build/package/docker/mac/dockerhub_publish.command b/build/package/docker/mac/dockerhub_publish.command
@@ -0,0 +1,6 @@
+here="$(dirname "$BASH_SOURCE")"
+cd $here/..
+./dockerhub_publish.sh
+
+
+
diff --git a/build/package/docker/tmp_slim_in_docker_example.command b/build/package/docker/tmp_slim_in_docker_example.command
diff --git a/pkg/system/system_linux.go b/pkg/system/system_linux.go
@@ -35,8 +35,7 @@ func GetSystemInfo() SystemInfo {
 func osName() string {
 	bdata, err := ioutil.ReadFile("/etc/os-release")
 	if err != nil {
-		fmt.Printf("error reading /etc/os-release: %v\n", err)
-		return "other"
+		return "unknown"
 	}
 
 	if osr, err := NewOsRelease(bdata); err == nil {