atomic icon indicating copy to clipboard operation
atomic copied to clipboard
verified publisher icon projectatomic

'-n' flag to 'atomic run' is ignored if 'run' label of image doesn't specify '--name NAME'

Open miabbott opened this issue 7 years ago • 0 comments

Migrated from downstream RHHBZ#1427606; please see BZ for complete information.

The -n flag appears to be ignored if the run label of the image does not have a NAME field specified. Using the cockpit-ws image as an example:

# atomic images info registry.access.redhat.com/rhel7/cockpit-ws | grep run: run: /usr/bin/docker run -d --privileged --pid=host -v /:/host IMAGE /container/atomic-run --local-ssh

However, the rsyslog image does have the NAME field in the run label:

# atomic images info registry.access.redhat.com/rhel7/rsyslog | grep run: run: docker run -d --privileged --name NAME --net=host --pid=host -v /etc/pki/rsyslog:/etc/pki/rsyslog -v /etc/rsyslog.conf:/etc/rsyslog.conf -v /etc/sysconfig/rsyslog:/etc/sysconfig/rsyslog -v /etc/rsyslog.d:/etc/rsyslog.d -v /var/log:/var/log -v /var/lib/rsyslog:/var/lib/rsyslog -v /run:/run -v /etc/machine-id:/etc/machine-id -v /etc/localtime:/etc/localtime -e IMAGE=IMAGE -e NAME=NAME --restart=always IMAGE /bin/rsyslog.sh

So I can specify a name for the container that is started by atomic run:

# atomic run -n my-rsyslog registry.access.redhat.com/rhel7/rsyslog
docker run -d --privileged --name my-rsyslog --net=host --pid=host -v /etc/pki/rsyslog:/etc/pki/rsyslog -v /etc/rsyslog.conf:/etc/rsyslog.conf -v /etc/sysconfig/rsyslog:/etc/sysconfig/rsyslog -v /etc/rsyslog.d:/etc/rsyslog.d -v /var/log:/var/log -v /var/lib/rsyslog:/var/lib/rsyslog -v /run:/run -v /etc/machine-id:/etc/machine-id -v /etc/localtime:/etc/localtime -e IMAGE=registry.access.redhat.com/rhel7/rsyslog -e NAME=my-rsyslog --restart=always registry.access.redhat.com/rhel7/rsyslog /bin/rsyslog.sh

This container uses privileged security switches:

INFO: --net=host 
      Processes in this container can listen to ports (and possibly rawip traffic) on the host's network.

INFO: --pid=host 
      Processes in this container can see and interact with all processes on the host and disables SELinux within the container.

INFO: --privileged 
      This container runs without separation and should be considered the same as root on your system.

For more information on these switches and their security implications, consult the manpage for 'docker run'.

52d27fa1f50fb4023b3cb1f9e6b2b76b46f241df07712732f02ae68cb924a44f
# docker ps
CONTAINER ID        IMAGE                                         COMMAND                  CREATED             STATUS              PORTS               NAMES
52d27fa1f50f        registry.access.redhat.com/rhel7/rsyslog      "/bin/rsyslog.sh"        6 seconds ago       Up 5 seconds                            my-rsyslog

In the case of the cockpit-ws container, I could see a separate BZ being opened for it to add the NAME field to the run: label.

However, I think it would also be helpful if the 'atomic' command could determine how to inject the -n NAME value into the docker run command if that NAME field is not in the run: label.

@baude suggested:

@rhatdan , one thing atomic could do is that if -n is used and RUN label is present, we could error out and site a message. Also then use --ignore to override.

miabbott avatar Mar 12 '18 14:03 miabbott