Outfitting an IT training environment with Docker containers
Trainer Container
Containers offer better performance than virtual machines because containers consume fewer resources and don't require a hypervisor. Containers also isolate a work environment from the rest of the system, so a user working within the container can't bring down the server or damage other user spaces. We put Docker containers to work on a problem we had on our network: creating workspaces for users in IT training support classes. Using Docker and some basic shell scripting, we built an automated environment where we could create temporary containers for each user in a lab class and delete those containers at the end of the session.
A Script for Creating Containers
Docker Hub [1] is a repository for Docker images. You'll need a standard Linux Docker image for creating containers. Docker Hub offers images for different Linux flavors, including Ubuntu, RHEL, Fedora, and CentOS.
This article assumes you have Docker up and running on your Linux system. If you don't have Docker on your system currently, you'll need to install the necessary and dependent packages – see the documentation for your own Linux distribution.
The next step is to download the base Docker image from the registry by executing the command
$docker pull <image>
where <image>
is name of the any official Linux flavor from the Docker registry [2].The downloaded image has minimal utilities for executing shell scripts or basic Unix commands.
You can configure the Docker image to add more functionality. For example, in a development environment, one needs a good editor, manual pages, and compilers for different programming languages, debuggers, and system monitoring tools.
The next step is to create and run the container for a user.
As the sys admin, you create a user account and share the credentials for the user to access the Linux server. The objective is to provide the user with an isolated container with root privileges. However, you need to be sure the user doesn't use the root privileges outside of the container environment.
We overcame this security challenge by providing access to the user to execute Docker commands, but preventing the user from operating outside of the container. As you will learn later in this article, we use the .bash_profile
and .bash_logout
files to keep the user from accessing other parts of the system. (See the box titled ".bash_profile
and .bash_logout
.")
.bash_profile and .bash_logout
The default shell for most Linux distributions is Bash. When you connect to the server remotely through SSH, the .bash_profile
file executes. The primary use for this file is to configure the shell by setting environment variables and paths, activating necessary services, installing the required applications, and displaying diagnostic information. In a nutshell, you can use .bash_profile
to tailor the user environment to suit your needs.
The .bash_logout
file executes at logout and is used to stop tasks that were made available while the user was logged in. It performs tasks such as stopping services and uninstalling applications.
Creating User Containers
In our lab, we needed to create two Docker images from the standard Ubuntu base image: a dev_test
image (for a development environment) and sysadmin_test
(for performing system administration tasks).
In the DevOps era, we need to train software professionals in all three essential areas: development, testing, and deployment. For our training sessions, the dev_test
image is used for development as well as testing and the sysadmin_test
image is used for deploying applications.
System administration tasks typically require root privileges, so system administration training requires some kind of root access. The challenge is to give students root access without allowing them to break the server. Containers make it very easy to assign each user a separate work environment. A single Docker server hosts several containers to support several users. Users can only access their own container.
To create a container from the selected image, execute the command:
$docker create -i -t --name <container name> <docker image> /bin/bash
The -i
option keeps standard input open, the -t
option allocates a pseudo-terminal for the container, and the --name
option assigns a unique name for the container.
For example, say a student with username Rama
wants to develop a program using the dev_test
image. The following command creates a container named Rama
:
$docker create -i -t --name Rama dev_test /bin/bash
After creating the container, Rama (the user) needs to start the container and run it to get the container access by executing the command:
$docker start -a -i Rama
The -a
option is to attach standard output and standard error. The -i
option attaches the container's standard input.
To stop the running container, Rama needs to execute the following command:
$docker stop Rama
The system administrator needs to automate the startup and run the container whenever Rama logs in to the server. When the user logs in, the .bash_profile
file is executed before the user gets to see the system's shell prompt. To put the user in the container, you need to append the following command to Rama's .bash_profile
file:
echo sudo docker start -a -i Rama >> /home/Rama/.bash_profile
The preceding command will put Rama inside the container at login.
However, when exiting the container, Rama ends up at the server command prompt, which is a security breach for our network. Therefore, you need a way to make sure Rama exits the server completely when exiting the container. To achieve this, add the following command in .bash_profile
:
echo exit >> /home/Rama/.bash_profile
As soon as Rama logs out from the container, the above code is executed. Rama will exit from the SSH session and thus will not get a chance to access the server.
The .bash_profile
file modification is to be done immediately after creating the Rama
user account or before sharing the login credentials with the user.
Automate with a Shell Script
To automate container creation for a user, a sys admin can use the script shown in Figure 1, which will execute in an interactive way. Script execution will prompt the user to enter a username and the docker image. Afterward, the script will create a container with the username and modify the user's .bash_profile
file accordingly.
Buy this article as PDF
(incl. VAT)