Monax snap launching docker containers

elopio · August 10, 2017, 4:23am

Hello!

I am experimenting with a snap that requires to launch docker containers. It’s called monax.

I followed the instructions from this repo, and monax seems to work nicely. However, that repo doesn’t explain very well what’s going on. The question that I have left is if I have to define the four plugs in my snap.

Here is my snapcraft.yaml:

github.com

elopio/monax/blob/snapcraft/snap/snapcraft.yaml

name: monax
version: master
summary: The Ecosystem Application Platform
description: |
  Monax is an application platform for building, testing, maintaining, and
  operating applications built to run on an ecosystem level.

grade: devel # must be 'stable' to release into candidate/stable channels
confinement: strict

plugs:
  support:
    interface: docker-support
  privileged:
    interface: docker-support
    privileged-containers: true
  docker-cli:
    interface: docker
  docker-executables:
    content: docker-executables

This file has been truncated. show original

I think it would be great to have a tutorial for dummies explaining what’s happening here step by step.

jdstrand · August 10, 2017, 12:49pm

Note that because of what you plugs, your snap has device ownership. Please see Call for testing docker snap for more details.

@gary-wzl - you may want to comment on the original question here (and perhaps the post I linked to if there is more to discuss).

gary-wzl · August 11, 2017, 10:10am

Thanks for poking me. @jdstrand
@elopio Yes, the project instruction is a bit out of date and needs some updates.
Basically, I started this simple experimental project prior to 17.06.0-ce-1 release which is the one you now can find at stable channel of latest and 17.06 track in store. It aims to demonstrate how to build a dockerzied app through the content-interface shared by the docker snap. So people could just simply ship a piece of Dockerfile or a docker-compose.yml into their snap package and invoke docker from a dockerized snap sandbox to build images and run a container. With the content shared from docker snap, we can achieve great results with extremely small package size and people won’t need to include docker binary in their final snap package. Another benefit of this is that it allows people using snap as a delivery mechanism to update Dockerfile or docker-compose.yml. It’s small and cheap.

As Jamie commented, the downside of this approach is that docker-support gives people high-privilege access to OS. So it’s highly recommended not to use this method in untrusted apps due to security escape. This approach is a reasonable and effective compromise for trusted apps in a brand store.

Meanwhile, I’d like to mention that a dockerized app probably won’t work if it runs as a daemon according to my findings. It seems like a bug in snapd.

I’ll update the instruction and limitation of this approach in the sample repo.
Thanks for your feedbacks!