From 1e6bb3715213a263b3f5012c38864da09171f308 Mon Sep 17 00:00:00 2001 From: ASLAN Date: Thu, 24 Oct 2024 11:45:01 +0200 Subject: [PATCH] improvements as discussed --- .../execution-modes/containers/container.md | 4 +- docs/plugin/execution-modes/containers/lxc.md | 50 ++++++++----------- 2 files changed, 23 insertions(+), 31 deletions(-) diff --git a/docs/plugin/execution-modes/containers/container.md b/docs/plugin/execution-modes/containers/container.md index 5a36a08c4..07e9e1cf8 100644 --- a/docs/plugin/execution-modes/containers/container.md +++ b/docs/plugin/execution-modes/containers/container.md @@ -41,8 +41,8 @@ There are two ways to do this: - [LXC ](https://linuxcontainers.org/) - [runc](https://github.com/opencontainers/runc) - [crun](https://github.com/containers/crun) -- [Dobby](https://github.com/rdkcentral/Dobby) (RDK) -- AWC (Liberty Global) +- [Dobby](https://github.com/rdkcentral/Dobby) (Maintained by RDK) +- AWC (Maintained Externally) To run a plugin in a container, a suitable container configuration must already exist. Thunder does not create container configurations dynamically. Thunder will search for existing container configurations in the following locations, in order of priority: diff --git a/docs/plugin/execution-modes/containers/lxc.md b/docs/plugin/execution-modes/containers/lxc.md index 53295b2d7..ff628e25f 100644 --- a/docs/plugin/execution-modes/containers/lxc.md +++ b/docs/plugin/execution-modes/containers/lxc.md @@ -5,7 +5,7 @@ LXC (Linux Containers) is a lightweight virtualization method that provides an e 1. Make sure kernel has all the futures needed for containerization. The easiest way to enable them is to use raspberrypi3_wpe_ml_container_defconfig. -2. Enable containers support in Thunder +2. Enable containers support in Thunder. ``` Thunder -> Extensions -> Process Containers ``` @@ -33,8 +33,7 @@ For demo purposes, we will use the OCDM plugin. To run a containerized ThunderNa # Adjusting Configuration for Thunder -1) Create a file named 'config' under /rootfs/usr/share/Thunder/OCDM/Container and place the below content in it. - +1. Create a file named 'config' under /rootfs/usr/share/Thunder/OCDM/Container and place the below content in it. ``` # Template used to create this container: /usr/share/lxc/templates/lxc-download # Parameters passed to the template: --no-validate @@ -71,16 +70,17 @@ lxc.net.0.type = empty #lxc.net.0.hwaddr = 00:16:XX:XX:XX:XX ``` -2) Comment out below line in /usr/share/lxc/config/common.conf: - -`# lxc.seccomp.profile = /usr/share/lxc/config/common.seccomp` +2. Comment out below line in /usr/share/lxc/config/common.conf: +``` +# lxc.seccomp.profile = /usr/share/lxc/config/common.seccomp +``` -3) In plugin configuration (eg. `/etc/Thunder/plugin/OCDM.json` for OCDM) change +3. In plugin configuration (eg. `/etc/Thunder/plugin/OCDM.json` for OCDM) change ```"mode": Local``` to ```"mode": "Container"``` -If everything works fine, you should see OCDM working just lie an ordinary OOP plugin +4. If everything works fine, you should see OCDM working just lie an ordinary OOP plugin. # Mounting a shared directory between host and LXC container @@ -88,26 +88,19 @@ Most often, we may need to securely share files between the host machine and a c Example : File logging from a container to a logging system folder located at the host machine. -1) Create a directory in host. - +1. Create a directory in host. ``` - mkdir /testshare && chmod 7777 /testshare +mkdir /testshare && chmod 7770 /testshare ``` - -2) Create a directory in lxc container (eg: OCDM container) - +2. Create a directory in lxc container (eg: OCDM container) ``` - mkdir /usr/share/Thunder/OCDM/Container/rootfs/TestLogging && chmod 7777 /usr/share/Thunder/OCDM/Container/rootfs/TestLogging +mkdir /usr/share/Thunder/OCDM/Container/rootfs/TestLogging && chmod 7770 /usr/share/Thunder/OCDM/Container/rootfs/TestLogging ``` - -3) Edit container config file (eg: /usr/share/Thunder/OCDM/Container/config) - +3. Edit container config file (eg: /usr/share/Thunder/OCDM/Container/config) ``` - lxc.mount.entry = /testshare TestLogging none bind,rw 0 0 +lxc.mount.entry = /testshare TestLogging none bind,rw 0 0 ``` - -4) UID/GID mapping - +4. UID/GID mapping ``` # Container specific configuration #lxc.idmap = u 0 100000 65536 @@ -122,14 +115,13 @@ lxc.idmap = g 1000 1000 1 lxc.idmap = u 1001 101001 64535 lxc.idmap = g 1001 101001 64535 ``` +5. Accessing contents from a shared folder and permissions . -5) Accessing contents from a shared folder and permissions . - - Use case 1 : Host has created a domain socket within the shared folder. - Container running in non-privileged mode (not root mode), trying to write to this domain socket. - - In this use case, the write operation will fail, if there is NO write permission for "other" user (eg: 775 instead of 777). - So make sure that the domain socket has been created with the required access right. + Use case 1 : + Host has created a domain socket within the shared folder. + Container running in non-privileged mode (not root mode), trying to write to this domain socket. + In this use case, the write operation will fail, if there is NO write permission for "other" user (eg: 775 instead of 777). + So make sure that the domain socket has been created with the required access right. ## Good To Know