Containers

01-symbol_blue-docker-logo.png

The docker logo.

CS managed systems support the use of rootless containers.  Containers virtualize the operating system and isolate software from the run-time environment.  They typically contain all the software and configuration needed to run a particular software application or service.  The most well-known container application is Docker.

Rootless containers do all this without requiring elevated privileges.  This makes containers safer to run on trusted, shared multi-user computers.  Within a rootless container, a user can perform privileged operations, while the container process itself runs as the user.  Access to the filesystem, devices and the network are no different from the ordinary access afforded to the user.

Opt-In

For rootless containers to work, a certain per-user system configuration is required.  Rather than preconfigure thousands of CS users, we ask those who wish to use containers to opt-in by visiting their CS website profile page, and checking a box.  Doing so will, after a short delay, allow a user to work with containers on any managed CS machine.

Podman

Docker is not installed, use Podman instead.  Podman is a mostly compatible alternative to Docker, and has, at this writing, more complete support for rootless containers.  Once you have opted-in to container support, you should be able to run a docker busybox image using the following command.

podman run -it docker.io/library/busybox

When mounting a filesystem volume in your container, you may want to use the option --userns=keep-id to map your account in the container to your account on the host.  Otherwise you will be root (uid == 0) in the container, your files will appear to be owned by root, and they will only be accessible by root.

Limitations

You can't run a container image located on a shared filesystem (like NFS).

On CS managed systems, your home directory is accessed via NFS, so you can't put them there.  You can copy an image to the local hard drive, if there is room, but then it can only run on that machine and you'll have to remember to copy it back after stopping it or you might lose your work.

To work around this, we provide each user with a disk image that is automatically mounted at login, and which is configured to be the storage location for that user's containers.  This location is available on only one machine at a time for each user.  If you log into a second machine, it won't be there.  These disk images are backed up and available when logging into any CS managed machine.