Skip to content

Commit

Permalink
improvements as discussed
Browse files Browse the repository at this point in the history
  • Loading branch information
volkan-aslan committed Oct 24, 2024
1 parent aff90a5 commit 1e6bb37
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 31 deletions.
4 changes: 2 additions & 2 deletions docs/plugin/execution-modes/containers/container.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,8 +41,8 @@ There are two ways to do this:
- [LXC ](https://linuxcontainers.org/)
- [runc](https://github.com/opencontainers/runc)
- [crun](https://github.com/containers/crun)
- [Dobby](https://github.com/rdkcentral/Dobby) (RDK)
- AWC (Liberty Global)
- [Dobby](https://github.com/rdkcentral/Dobby) (Maintained by RDK)
- AWC (Maintained Externally)

To run a plugin in a container, a suitable container configuration must already exist. Thunder does not create container configurations dynamically. Thunder will search for existing container configurations in the following locations, in order of priority:

Expand Down
50 changes: 21 additions & 29 deletions docs/plugin/execution-modes/containers/lxc.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ LXC (Linux Containers) is a lightweight virtualization method that provides an e

1. Make sure kernel has all the futures needed for containerization. The easiest way to enable them is to use raspberrypi3_wpe_ml_container_defconfig.

2. Enable containers support in Thunder
2. Enable containers support in Thunder.
```
Thunder -> Extensions -> Process Containers
```
Expand Down Expand Up @@ -33,8 +33,7 @@ For demo purposes, we will use the OCDM plugin. To run a containerized ThunderNa

# Adjusting Configuration for Thunder

1) Create a file named 'config' under /rootfs/usr/share/Thunder/OCDM/Container and place the below content in it.

1. Create a file named 'config' under /rootfs/usr/share/Thunder/OCDM/Container and place the below content in it.
```
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template: --no-validate
Expand Down Expand Up @@ -71,43 +70,37 @@ lxc.net.0.type = empty
#lxc.net.0.hwaddr = 00:16:XX:XX:XX:XX
```

2) Comment out below line in /usr/share/lxc/config/common.conf:

`# lxc.seccomp.profile = /usr/share/lxc/config/common.seccomp`
2. Comment out below line in /usr/share/lxc/config/common.conf:
```
# lxc.seccomp.profile = /usr/share/lxc/config/common.seccomp
```

3) In plugin configuration (eg. `/etc/Thunder/plugin/OCDM.json` for OCDM) change
3. In plugin configuration (eg. `/etc/Thunder/plugin/OCDM.json` for OCDM) change
```"mode": Local```
to
```"mode": "Container"```

If everything works fine, you should see OCDM working just lie an ordinary OOP plugin
4. If everything works fine, you should see OCDM working just lie an ordinary OOP plugin.

# Mounting a shared directory between host and LXC container

Most often, we may need to securely share files between the host machine and a container.

Example : File logging from a container to a logging system folder located at the host machine.

1) Create a directory in host.

1. Create a directory in host.
```
mkdir /testshare && chmod 7777 /testshare
mkdir /testshare && chmod 7770 /testshare
```

2) Create a directory in lxc container (eg: OCDM container)

2. Create a directory in lxc container (eg: OCDM container)
```
mkdir /usr/share/Thunder/OCDM/Container/rootfs/TestLogging && chmod 7777 /usr/share/Thunder/OCDM/Container/rootfs/TestLogging
mkdir /usr/share/Thunder/OCDM/Container/rootfs/TestLogging && chmod 7770 /usr/share/Thunder/OCDM/Container/rootfs/TestLogging
```

3) Edit container config file (eg: /usr/share/Thunder/OCDM/Container/config)

3. Edit container config file (eg: /usr/share/Thunder/OCDM/Container/config)
```
lxc.mount.entry = /testshare TestLogging none bind,rw 0 0
lxc.mount.entry = /testshare TestLogging none bind,rw 0 0
```

4) UID/GID mapping

4. UID/GID mapping
```
# Container specific configuration
#lxc.idmap = u 0 100000 65536
Expand All @@ -122,14 +115,13 @@ lxc.idmap = g 1000 1000 1
lxc.idmap = u 1001 101001 64535
lxc.idmap = g 1001 101001 64535
```
5. Accessing contents from a shared folder and permissions .

5) Accessing contents from a shared folder and permissions .

Use case 1 : Host has created a domain socket within the shared folder.
Container running in non-privileged mode (not root mode), trying to write to this domain socket.

In this use case, the write operation will fail, if there is NO write permission for "other" user (eg: 775 instead of 777).
So make sure that the domain socket has been created with the required access right.
Use case 1 :
Host has created a domain socket within the shared folder.
Container running in non-privileged mode (not root mode), trying to write to this domain socket.
In this use case, the write operation will fail, if there is NO write permission for "other" user (eg: 775 instead of 777).
So make sure that the domain socket has been created with the required access right.

## Good To Know

Expand Down

0 comments on commit 1e6bb37

Please sign in to comment.