From de60cdbc7ec04fe9a397611ff346e1c8e2cce6cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Petazzoni?= Date: Mon, 8 Sep 2025 15:31:47 +0200 Subject: [PATCH] =?UTF-8?q?=E2=9C=8F=EF=B8=8F=20Tweak=20container=20from?= =?UTF-8?q?=20scratch=20exercise?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../container-from-scratch-details.md | 76 ++++++++++--------- 1 file changed, 42 insertions(+), 34 deletions(-) diff --git a/slides/exercises/container-from-scratch-details.md b/slides/exercises/container-from-scratch-details.md index 77168b38..1d818843 100644 --- a/slides/exercises/container-from-scratch-details.md +++ b/slides/exercises/container-from-scratch-details.md @@ -26,27 +26,7 @@ Make sure to automate / script things as much as possible! 5. Cgroups -6. Run as non-root - -7. ...But on port 80 anyways - ---- - -## Bonus steps - -In no specific order... - -- Try to escape the container - - (it's OK to modify the container filesystem from outside!) - -- Try to prevent container escapes by: - - - enabling user namespaces - - - dropping capabilities - - - locking down device access +6. Non-root --- @@ -54,7 +34,7 @@ In no specific order... - Obtain a root filesystem with one of the following methods: - - download an Alpine root fs + - download an Alpine mini root fs - export an Alpine or NGINX container image with Docker @@ -68,6 +48,46 @@ In no specific order... --- +## Help, network does not work! + +- Check that you have external connectivity from the chroot: + ```bash + ping 1.1.1.1 + ``` + (that *should* work; if it doesn't, we have a serious problem!) + +- Check that DNS resolution works: + ```bash + ping enix.io + ``` + +- If you're having a DNS resolution error, configure DNS in the container: + ```bash + echo nameserver 1.1.1.1 > /etc/resolv.conf + ``` + +--- + +## Running a web server + +Here are a few possibilities... + +- Install the NGINX package and run it with `nginx` + + (note: by default it will start in the background) + +- Run NGINX in the foreground with `nginx -g "daemon off;"` + +- Install the package Caddy and run `caddy file-server -ab` + + (it will remain in the foreground and show logs; **RECOMMENDED**) + +- Download and/or build https://github.com/jpetazzo/color + + (if you're familiar with the Go ecosystem!) + +--- + ## Run with chroot - Start the web server from within the chroot @@ -137,15 +157,3 @@ In no specific order... - Adjust the web server configuration so that it starts (non-privileged users cannot bind to ports below 1024) - ---- - -## Non-root, port 80 - -- We want to run as a non-privileged user **and** bind to port 80 - -- We'll need to have the correct capability to do that - -- Identify the capability needed to do that - -- Add that capability to the web server