Today dotCloud announced that they have open sourced their LXC container runtime Docker. This is exciting news because Docker features many important things that have been missing from the stock LXC packages. The two most significant features in my mind are the out of the box support for creation of AUFS based images for true copy-on-write read-only file systems (similar to how distro live CDs work) and fast launching of ephemeral containers! With these two components in place quick launching of sandboxes to run arbitrary code in relative safety is now super easy.
- Access to an Ubuntu Machine or an Ubuntu VM
- Install docker using the instructions here: http://docker.io/gettingstarted.html
Let’s Do It!
The base docker image is a bare bones ubuntu server install. We’re going to use that as a base and create our own image with node installed.
In case you’d rather just watch check out the screencast: http://youtu.be/KkSbEvuRbfo
Step 1) Open a terminal and start an instance using the base image. This will launch you into a shell where we can begin to customise the image:
$ sudo docker run -i -t base /bin/bash
Step 2) Install node:
$ apt-get update $ apt-get install python-software-properties python g++ make $ add-apt-repository ppa:chris-lea/node.js $ apt-get update $ apt-get install nodejs
Note: replace the `python-software-properties` package with `software-properties-common` on Ubuntu 12.10 and above.
Step 3) Next bake our own image. Open another terminal session leaving the other one active in the background, then:
$ sudo docker ps
This should show the ID of the running container in the other terminal. Copy it then run:
$ sudo docker commit <paste your container ID here> node
Step 4) Check that the image was created:
$ sudo docker images
If all went to plan you should now be able to see your new image called “node” appearing in the list.
Step 5) Run some code inside your new sandbox:
$ echo "console.log('Hello World');" | sudo docker run -i node /bin/bash -c "cat > hello.js; node hello.js"
And that’s all there is to it! You’ve just successfully run arbitrary code in a safe, secure sandbox. Better still, since it’s based on LXC there are options for setting resource quotas to limit CPU and Memory usage meaning that denial of service by resource starvation is now a thing of the past.
I’m really looking forward to seeing how this develops over the coming months and how others put it to use.