gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/g3doc/user_guide/quick_start/docker.md (about) 1 # Docker Quick Start 2 3 > Note: This guide requires Docker version 17.09.0 or greater. Refer to the 4 > [Docker documentation][docker] for how to install it. 5 6 This guide will help you quickly get started running Docker containers using 7 gVisor. 8 9 First, follow the [Installation guide][install]. 10 11 If you use the `apt` repository or the `automated` install, then you can skip 12 the next section and proceed straight to running a container. 13 14 ## Configuring Docker 15 16 First you will need to configure Docker to use `runsc` by adding a runtime entry 17 to your Docker configuration (e.g. `/etc/docker/daemon.json`). The easiest way 18 to this is via the `runsc install` command. This will install a docker runtime 19 named "runsc" by default. 20 21 ```bash 22 sudo runsc install 23 ``` 24 25 You must restart the Docker daemon after installing the runtime. Typically this 26 is done via `systemd`: 27 28 ```bash 29 sudo systemctl restart docker 30 ``` 31 32 ## Running a container 33 34 Now run your container using the `runsc` runtime: 35 36 ```bash 37 docker run --runtime=runsc --rm hello-world 38 ``` 39 40 You can also run a terminal to explore the container. 41 42 ```bash 43 docker run --runtime=runsc --rm -it ubuntu /bin/bash 44 ``` 45 46 Many docker options are compatible with gVisor, try them out. Here is an 47 example: 48 49 ```bash 50 docker run --runtime=runsc --rm --link backend:database -v ~/bin:/tools:ro -p 8080:80 --cpus=0.5 -it busybox telnet towel.blinkenlights.nl 51 ``` 52 53 ## Verify the runtime 54 55 You can verify that you are running in gVisor using the `dmesg` command. 56 57 ```text 58 $ docker run --runtime=runsc -it ubuntu dmesg 59 [ 0.000000] Starting gVisor... 60 [ 0.354495] Daemonizing children... 61 [ 0.564053] Constructing home... 62 [ 0.976710] Preparing for the zombie uprising... 63 [ 1.299083] Creating process schedule... 64 [ 1.479987] Committing treasure map to memory... 65 [ 1.704109] Searching for socket adapter... 66 [ 1.748935] Generating random numbers by fair dice roll... 67 [ 2.059747] Digging up root... 68 [ 2.259327] Checking naughty and nice process list... 69 [ 2.610538] Rewriting operating system in Javascript... 70 [ 2.613217] Ready! 71 ``` 72 73 Note that this is easily replicated by an attacker so applications should never 74 use `dmesg` to verify the runtime in a security sensitive context. 75 76 ## Options 77 78 You may also wish to install a runtime entry with different options. The `runsc 79 install` command can accept flags that will be passed to the runtime when it is 80 invoked by Docker. For example, to install a runtime with debugging enabled, run 81 the following: 82 83 ```bash 84 sudo runsc install --runtime runsc-debug -- \ 85 --debug \ 86 --debug-log=/tmp/runsc-debug.log \ 87 --strace \ 88 --log-packets 89 ``` 90 91 > Note: Ensure that `SELinux` (Security Enhanced Linux) is disabled on your 92 > system before running the runtime environment with debugging enabled. 93 94 Next, look at the different options available for gVisor: [platform][platforms], 95 [network][networking], [filesystem][filesystem]. 96 97 [docker]: https://docs.docker.com/install/ 98 [storage-driver]: https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-storage-driver 99 [install]: /docs/user_guide/install/ 100 [filesystem]: /docs/user_guide/filesystem/ 101 [networking]: /docs/user_guide/networking/ 102 [platforms]: /docs/user_guide/platforms/