Trainer Container

Containers offer better performance than virtual machines because containers consume fewer resources and don't require a hypervisor. Containers also isolate a work environment from the rest of the system, so a user working within the container can't bring down the server or damage other user spaces. We put Docker containers to work on a problem we had on our network: creating workspaces for users in IT training support classes. Using Docker and some basic shell scripting, we built an automated environment where we could create temporary containers for each user in a lab class and delete those containers at the end of the session.

A Script for Creating Containers

Docker Hub [1] is a repository for Docker images. You'll need a standard Linux Docker image for creating containers. Docker Hub offers images for different Linux flavors, including Ubuntu, RHEL, Fedora, and CentOS.

This article assumes you have Docker up and running on your Linux system. If you don't have Docker on your system currently, you'll need to install the necessary and dependent packages – see the documentation for your own Linux distribution.

The next step is to download the base Docker image from the registry by executing the command

$docker pull <image>

where <image> is name of the any official Linux flavor from the Docker registry [2].The downloaded image has minimal utilities for executing shell scripts or basic Unix commands.

You can configure the Docker image to add more functionality. For example, in a development environment, one needs a good editor, manual pages, and compilers for different programming languages, debuggers, and system monitoring tools.

The next step is to create and run the container for a user.

As the sys admin, you create a user account and share the credentials for the user to access the Linux server. The objective is to provide the user with an isolated container with root privileges. However, you need to be sure the user doesn't use the root privileges outside of the container environment.

We overcame this security challenge by providing access to the user to execute Docker commands, but preventing the user from operating outside of the container. As you will learn later in this article, we use the .bash_profile and .bash_logout files to keep the user from accessing other parts of the system. (See the box titled ".bash_profile and .bash_logout.")

Creating User Containers

In our lab, we needed to create two Docker images from the standard Ubuntu base image: a dev_test image (for a development environment) and sysadmin_test (for performing system administration tasks).

In the DevOps era, we need to train software professionals in all three essential areas: development, testing, and deployment. For our training sessions, the dev_test image is used for development as well as testing and the sysadmin_test image is used for deploying applications.

System administration tasks typically require root privileges, so system administration training requires some kind of root access. The challenge is to give students root access without allowing them to break the server. Containers make it very easy to assign each user a separate work environment. A single Docker server hosts several containers to support several users. Users can only access their own container.

To create a container from the selected image, execute the command:

$docker create -i -t --name <container name> <docker image> /bin/bash

The -i option keeps standard input open, the -t option allocates a pseudo-terminal for the container, and the --name option assigns a unique name for the container.

For example, say a student with username Rama wants to develop a program using the dev_test image. The following command creates a container named Rama:

$docker create -i -t --name Rama dev_test /bin/bash

After creating the container, Rama (the user) needs to start the container and run it to get the container access by executing the command:

$docker start -a -i Rama

The -a option is to attach standard output and standard error. The -i option attaches the container's standard input.

To stop the running container, Rama needs to execute the following command:

$docker stop Rama

The system administrator needs to automate the startup and run the container whenever Rama logs in to the server. When the user logs in, the .bash_profile file is executed before the user gets to see the system's shell prompt. To put the user in the container, you need to append the following command to Rama's .bash_profile file:

echo sudo docker start -a -i Rama >> /home/Rama/.bash_profile

The preceding command will put Rama inside the container at login.

However, when exiting the container, Rama ends up at the server command prompt, which is a security breach for our network. Therefore, you need a way to make sure Rama exits the server completely when exiting the container. To achieve this, add the following command in .bash_profile:

echo exit >> /home/Rama/.bash_profile

As soon as Rama logs out from the container, the above code is executed. Rama will exit from the SSH session and thus will not get a chance to access the server.

The .bash_profile file modification is to be done immediately after creating the Rama user account or before sharing the login credentials with the user.

Automate with a Shell Script

To automate container creation for a user, a sys admin can use the script shown in Figure 1, which will execute in an interactive way. Script execution will prompt the user to enter a username and the docker image. Afterward, the script will create a container with the username and modify the user's .bash_profile file accordingly.

Figure 1: Shell script to automate container creation.