LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

Binary Docker For CapRover Web Installs On Any Linux Distribution!

Introduction

Docker logo

A recent Low End Box Editorial asked whether CapRover and the rise of one-click web installs has made Linux distributions obsolete.

The above linked Editorial discussed similarities between obsolescence and abstraction. The Editorial traced these similarities all the way from hardware to the modern web.

Docker was mentioned in the Editorial as an important method of operating system abstraction. Docker containerization allows running the same software in very different operating system environments.

Notably, Docker is a prerequisite for CapRover, our one-click install hero!

For Low End LOLs it seemed a fun project to try getting CapRover driven one-click web installs going on the world’s oldest living Linux distribution, Slackware.

Docker makes available Linux static binaries for both the Docker daemon and the Docker client. Static binaries also were mentioned in the above linked Editorial as another method of distribution agnosticism. So here we are, using one method of abstraction, static binaries, to install yet another method of abstraction, Docker, for the purpose of installing a third method of abstraction, CapRover. LOL!

Reasons Not To Do This In Real Life!

Docker warns us against the binary install method for production systems:

We do not recommend installing Docker using binaries in production environments as they will not be updated automatically with security updates. The Linux binaries described on this page are statically linked, which means that vulnerabilities in build-time dependencies are not automatically patched by security updates of your Linux distribution.

Docker Prerequisites

Let’s check our latest Slackware64-current OS to see whether Slackware64-current satisfies all of the prerequisites for a 64 bit binary install of Docker.

64-bit installation

root@darkstar:~# getconf LONG_BIT
64 ✅
root@darkstar:~#

Linux kernel version 3.10 or higher

root@darkstar:~# uname -r
5.17.7 ✅
root@darkstar:~#

Iptables version 1.4 or higher

root@darkstar:~# iptables --version
iptables v1.8.8 (legacy) ✅
root@darkstar:~#

Git version 1.7 or higher

root@darkstar:~# git --version
git version 2.36.1 ✅
root@darkstar:~#

A ps executable

root@darkstar:~# ps --version
ps from procps-ng 3.3.17 ✅
root@darkstar:~#

XZ utilities version 3.9 or higher

root@darkstar:~# xz --version
xz (XZ Utils) 5.2.5 ✅
liblzma 5.2.5
root@darkstar:~#

Properly mounted cgroupfs hierarchy

Please see https://github.com/tianon/cgroupfs-mount/blob/master/cgroupfs-mount.

root@darkstar:~# ls /proc/cgroups
/proc/cgroups
root@darkstar:~# ls /sys/fs | grep cgroup
cgroup/
root@darkstar:~# ls /sys/fs/cgroup/
blkio/ cpuacct/ devices/ freezer/ misc/ net_prio/ pids/
cpu/ cpuset/ elogind/ memory/ net_cls/ perf_event/ systemd@
root@darkstar:~# mountpoint /sys/fs/cgroup
/sys/fs/cgroup is a mountpoint
root@darkstar:~# cat /proc/cgroups
#subsys_name hierarchy num_cgroups enabled
cpuset 1 1 1
cpu 2 1 1
cpuacct 3 1 1
blkio 4 1 1
memory 5 1 1
devices 6 1 1
freezer 7 1 1
net_cls 8 1 1
perf_event 9 1 1
net_prio 10 1 1
pids 11 1 1
misc 12 1 1
root@darkstar:~# cat /sys/fs/cgroup/memory/memory.use_hierarchy
1 ✅
root@darkstar:~#

Apparmor And SELinux

Neither Apparmor nor SELinux seems to be installed in the default Slackware64-current. But neither of these are Docker prerequisites. Also, both could be less necessary in a Lab environment like Darkstar than in a production system.

root@darkstar:~# cat /sys/kernel/security/apparmor/profiles
cat: /sys/kernel/security/apparmor/profiles: No such file or directory
root@darkstar:~# sestatus
-bash: sestatus: command not found
root@darkstar:~#

Docker Daemon Security

Seccomp

Please see https://docs.docker.com/engine/security/seccomp/.

root@darkstar:~# ls /boot/config
/boot/config@
root@darkstar:~# file /boot/config
/boot/config: symbolic link to config-huge-5.17.7.x64
root@darkstar:~# grep CONFIG_SECCOMP= /boot/config
CONFIG_SECCOMP=y ✅
root@darkstar:~#

Namespaces

Please see https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-user-namespace-options.

Remapping Docker containers to run as unprivileged users is a method of preventing privilege escalation attacks from inside containers. The idea is to remap container user IDs to unprivileged host IDs. The remapping is done by Linux namespaces which are configured in /etc/subuid and /etc/subgid. Neither of these files exist in the default Slackware64-current distribution.

root@darkstar:~# ls /etc/subuid /etc/subgid
/bin/ls: cannot access '/etc/subuid': No such file or directory
/bin/ls: cannot access '/etc/subgid': No such file or directory
root@darkstar:~#

In Darkstar’s non-production Lab environment, we are less worried about privilege escalation attacks because most Darkstar users already have root privileges. Therefore, we are not installing user remapping for today’s test.

Setting Up Our Ability to Revert

Since we’re installing Docker from a non-Slackware source, and since the install is a binary produced by Docker, we’re going to put Docker in the /opt directory.

Paying attention to being able to revert probably is always a great idea even though there isn’t yet much in /opt:

root@darkstar:~# cd /
root@darkstar:/# ls -l | grep opt
drwxr-xr-x 2 root root 4096 Jun 10 2007 opt/
root@darkstar:/# ls opt
root@darkstar:/# tar cvf opt-revert.tar opt
opt/
root@darkstar:/# ls opt-revert.tar
opt-revert.tar
root@darkstar:/# cd opt/
root@darkstar:/opt#

Downloading And Installing Docker Binaries

root@darkstar:/opt# time wget -q https://download.docker.com/linux/static/stable/x86_64/docker-20.10.16.tgz

real 0m1.284s
user 0m0.246s
sys 0m0.333s
root@darkstar:/opt# ls -lh
total 62M
-rw-r–r– 1 root root 62M May 12 14:22 docker-20.10.16.tgz
root@darkstar:/opt# tar xvzf docker-20.10.16.tgz
docker/
docker/docker-init
docker/containerd
docker/ctr
docker/runc
docker/dockerd
docker/docker-proxy
docker/containerd-shim
docker/docker
docker/containerd-shim-runc-v2
root@darkstar:/opt# cd docker
root@darkstar:/opt/docker# ls
containerd* containerd-shim-runc-v2* docker* docker-proxy* runc*
containerd-shim* ctr* docker-init* dockerd*
root@darkstar:/opt/docker#

Does It Seem To Work?

root@darkstar:/opt/docker# export PATH=/opt/docker:$PATH
root@darkstar:/opt/docker# dockerd &

{ . . . ]

root@darkstar:/opt/docker# docker run hello-world

[ , , , ]

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the “hello-world” image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/

For more examples and ideas, visit:
https://docs.docker.com/get-started/

[ . . . ]

root@darkstar:/opt/docker#

Let’s try Ubuntu. :)

root@darkstar:/opt/docker# docker run -it ubuntu bash
Unable to find image 'ubuntu:latest' locally
latest: Pulling from library/ubuntu
125a6e411906: Pull complete
Digest: sha256:26c68657ccce2cb0a31b330cb0be2b5e108d467f641c62e13ab40cbec258c68d
Status: Downloaded newer image for ubuntu:latest

[ . . . ]

root@261db2d76559:/# uname -a
Linux 261db2d76559 5.17.7 #1 SMP PREEMPT Thu May 12 12:45:55 CDT 2022 x86_64 x86_64 x86_64 GNU/Linux
root@261db2d76559:/# cat /etc/os-release
PRETTY_NAME=”Ubuntu 22.04 LTS”
NAME=”Ubuntu”
VERSION_ID=”22.04″
VERSION=”22.04 LTS (Jammy Jellyfish)”
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL=”https://www.ubuntu.com/”
SUPPORT_URL=”https://help.ubuntu.com/”
BUG_REPORT_URL=”https://bugs.launchpad.net/ubuntu/”
PRIVACY_POLICY_URL=”https://www.ubuntu.com/legal/terms-and-policies/privacy-policy”
UBUNTU_CODENAME=jammy
root@261db2d76559:~#

Alternatives

On Slackware, two obvious alternatives to the Docker binary install include compiling everything from scratch and also using a package system such as Alien’s SlackBuilds or Pkgsrc. Another obvious alternative would be to install Docker in one of Darkstar’s KVM instances running, for example, Debian.

Besides Slackware, this binary Docker install ought to work on any Linux distribution which meets the prerequisites despite that binary Docker install isn’t recommended for production.

Conclusion

Yaaay! The Docker binary install seems to work on the world’s oldest living Linux distribution! <3 But will this Docker run CapRover and provide one-click web app installs? In a future article we will see! :)

Not_Oles

1 Comment

  1. Keith Shitbiscuit:

    Shitbiscuit

    May 20, 2022 @ 4:23 pm | Reply

Leave a Reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published. Required fields are marked *