=Paper=
{{Paper
|id=Vol-1787/557-560-paper-97
|storemode=property
|title=YASTD: A Simple Set of CLI Tools to Manage Docker Containers
|pdfUrl=https://ceur-ws.org/Vol-1787/557-560-paper-97.pdf
|volume=Vol-1787
|authors= Stanislav Polyakov,Alexander Kryukov,Andrey Demichev
}}
==YASTD: A Simple Set of CLI Tools to Manage Docker Containers==
https://ceur-ws.org/Vol-1787/557-560-paper-97.pdf
YASTD: A Simple Set of CLI Tools to Manage Docker
Containers
S. P. Polyakova, A. P. Kryukov, A. P. Demichev
Skobeltsyn Institute of Nuclear Physics, M.V.Lomonosov Moscow State University (SINP MSU),
1(2), Leninskie gory, GSP-1, Moscow, 119991, Russia
E-mail: a s.p.polyakov@gmail.com
We present a set of tools to manage Docker containers named YASTD (Yet Another Simple
Tools for Docker). It has three primary purposes:
- to allow users to create containers remotely accessible via secure shell (SSH);
- to let users configure their containers and save the changes as new images;
- to isolate users from each other and restrict their access to the Docker features that could poten-
tially disrupt the work of a server.
The tools are accessible via a simple command line interface.
The commands for managing containers allow creating containers from available images, listing
the available containers, stopping and restarting containers, pausing and unpausing all processes with-
in a container, and removing containers. Also available are the commands to create new images from
the changes made to the containers, list the available images, and remove images. The users cannot
see, modify, or remove containers and images created by other users.
We also give an assessment of the security level of the tools and outline the possible approaches
to its improvement.
Keywords: cloud computing, container virtualization, Docker
The work was supported by RFBR. Grant No 15-07-09309
© 2016 Stanislav P. Polyakov, Alexander P. Kryukov, Andrey P. Demichev
557
�Introduction
Let us suppose we have a server with computational or storage capabilities we want to share be-
tween several users. Two of the approaches to doing so are giving the users accounts on the server, or
creating a separate virtual machine for each user. Taking former approach means that users will be
limited to a specific version of a specific operating system, will not be able to install some software or
configure their environment, and when the necessary software is installed it may not be useful for
some users due to dependencies conflicts. The latter approach has none of these drawbacks, but emu-
lating hardware has significant overhead. Container virtualization [Soltesz S. et al., 2007] provides a
middle ground between the two, allowing to have some of the isolation with small overhead [Felter W.
et al., 2015] and some additional benefits we discuss in the next section.
The tools we present are using the container virtualization approach. They allow users to create
and manage their own containers (container virtualization analogue of virtual machines) with pre-
configured SSH access. This includes access to a privileged user (root) account inside a container that
can configure the container and install the necessary software. Thus a user can run multiple instances
of a software, or break up a software into several interacting components set up in isolated environ-
ments. This is achieved with a simple program (basically a set of scripts) leveraging some of the fea-
tures of a container virtualization tool Docker [Docker].
Section 2 outlines some possibilities of container virtualization and features of Docker. Section 3
presents the YASTD tools and describes their functionality. Section 4 is about the security limitations
of the tools. Section 5 concludes the paper and outlines some possibilities for further development of
the tools.
Container virtualization and Docker
Container virtualization is a virtualization method in which the kernel of an operating system al-
lows the existence of multiple isolated user-space instances, or containers. Thus a software needs to be
compatible with the host OS to be run within a container.
Docker is a rapidly developing but already very popular container virtualization tool for Linux.
Filesystems of Docker containers have read-only parts called images. Changes to the filesystem made
while the container is working will be stored as a separate layer, and can be saved as a new image
without the need to copy the read-only part. This approach is called copy-on-write and allows to store
multiple images with small variations between them using very little disk space.
Docker provides a number of tools for creating, monitoring, and manipulating containers. One of
its features is a volumes option which allows to map an arbitrary host directory into a container direc-
tory. In addition to all the benefits of this feature, it has a side effect that a user with full access to
Docker commands can get an access to any file of the host. Therefore if we want users to be able to
create their own containers without accidently disrupting the work of the server, we need to restrict
their access to Docker commands.
YASTD features and tools
YASTD (Yet Another Simple Tools for Docker) is an intermediary giving users a restricted ac-
cess to some of the Docker commands. The users can create containers, save modified containers as
new images and create new containers from these images. A very basic set of Docker commands for
managing the images and containers is also available.
558
�Features
YASTD has four features that set it apart from a crippled version of Docker.
A (Access). Each user has automatically configured SSH access to any container they create,
both as a regular user and as a privileged one (root). This allows users to configure their containers
and work with them as they prefer.
B (Borders). YASTD isolates users from each other. Users cannot see or modify containers and
images created by other users. (A container created by a user can still be configured by that user to
give access to others.)
C (CLI). The users also have restricted access to the host: the only way a user can directly inter-
act with it is via a simple command line interface.
D (Directories). Each user has two home directories within any container that are mapped from
the storage directories assigned to the user on the host. As a result, the contents of these directories are
the same for all containers of the user, and they are not saved as a part of the user-created images.
How it works
A server administrator needs to install Docker, copy YASTD files on the server and configure
YASTD, specifying a range of ports to be used, location of the storage directory, and some other data.
At least one Docker image should be preconfigured to automatically launch sshd and allow SSH login
with public keys. New user accounts can be added by a script that configures their access to the server
so that CLI is started automatically when they attempt to log in, and copies their public SSH keys to
.ssh/authorized_keys files in the two storage directories assigned to the user.
When a user submits a valid command to create new container, YASTD uses volumes option to
map the storage directories of the user into home and root directories inside the container respectively,
allowing both A and D features mentioned earlier. The container is assigned a random free port from
the specified range and its 22 port is mapped to the assigned server port, giving the user SSH access
the container.
List of YASTD tools
YASTD capabilities for managing containers:
- create a container from an image,
- list the containers started by the user,
- stop and restart a container,
- pause and unpause all processes within a container,
- remove a container.
YASTD capabilities for managing images:
- create a new image from a container's changes,
- list the images available to the user,
- remove an image.
Security
Docker is not considered secure when users are allowed to execute arbitrary commands within a
container («Containers do not contain», [Walsh]), and giving root access inside a container further
weakens the security. The security can be strengthened using Docker's settings to give root a restricted
set of capabilities instead of full privileges, as well as using some measures of security in addition to
those provided by Docker [Petazzoni].
559
� As it stands, YASTD is meant to be used in situations where users can be trusted to make no at-
tempts to break out of their containers, otherwise impede the functioning of the host and work of other
users, and to give no access to their accounts or privileged access to their containers to outside parties.
Conclusions and further work
We have presented a set of tools that allow users to remotely create Docker containers that can be
configured by the user, save and access the changes made to the containers, and manage the contain-
ers. The users are isolated from each other. The tools can be accessed via a simple command line inter-
face.
The ideas for further development include adding measures to improve the security of the server,
giving users the option to migrate their images to outside repositories, and creating a Web interface.
References
Soltesz S. et al. Container-based operating system virtualization: a scalable, high-performance alterna-
tive to hypervisors // ACM SIGOPS Operating Systems Review. — 2007. — Vol. 41, No. 3. —
P. 275–287.
Felter W. et al. An updated performance comparison of virtual machines and linux containers // Per-
formance Analysis of Systems and Software (ISPASS), 2015 IEEE International Symposium On.
— 2015. — P. 171–172.
Docker – Build, Ship, and Run Any App, Anywhere. [Electronic resource]. URL:
https://www.docker.com
Walsh D. Are Docker containers really secure? [Electronic resource]. URL:
https://opensource.com/business/14/7/docker-security-selinux (accessed 30.10.2016).
Petazzoni J. Containers & Docker: How Secure Are They? [Electronic resource]. URL:
https://blog.docker.com/2013/08/containers-docker-how-secure-are-they/ (accessed 30.10.2016).
560
�