diff --git a/rip_docker/.gitignore b/rip_docker/.gitignore index f144293..b62a8bd 100644 --- a/rip_docker/.gitignore +++ b/rip_docker/.gitignore @@ -1,4 +1,6 @@ +bin dangerzone-cmdline dangerzone-initrd.img dangerzone-kernel -dangerzone-state \ No newline at end of file +dangerzone-state +stdout.log \ No newline at end of file diff --git a/rip_docker/README.md b/rip_docker/README.md index 2f0d33b..d24eb31 100644 --- a/rip_docker/README.md +++ b/rip_docker/README.md @@ -10,70 +10,61 @@ The most promising path forward is with [LinuxKit](https://github.com/linuxkit/l Docker is required for linuxkit to build the VM image. -### Install LinuxKit and HyperKit - -Install from homebrew: +### Collect the binaries ```sh -brew tap linuxkit/linuxkit -brew install --HEAD linuxkit -brew install hyperkit +mkdir -p bin + +# download pre-built LinuxKit binary +cd bin +wget https://github.com/linuxkit/linuxkit/releases/download/v0.8/linuxkit-darwin-amd64 +chmod +x linuxkit-darwin-amd64 +mv linuxkit-darwin-amd64 linuxkit +cd .. + +# copy binaries from Docker Desktop +cp /Applications/Docker.app/Contents/Resources/bin/com.docker.hyperkit bin/hyperkit +cp /Applications/Docker.app/Contents/Resources/bin/com.docker.vpnkit bin/vpnkit +cp /Applications/Docker.app/Contents/Resources/bin/com.docker.cli bin/docker ``` -### Build the dangerzone VM image +### Build the dangerzone VM image and see if it works ```sh -linuxkit build -format kernel+initrd dangerzone.yml +./bin/linuxkit build -format kernel+initrd dangerzone.yml ``` And then try running it: ```sh -linuxkit run hyperkit -hyperkit /usr/local/bin/hyperkit -networking=vpnkit -vsock-ports=2376 -disk size=4096M -data-file ./metadata.json -kernel -uefi dangerzone +./bin/linuxkit run hyperkit \ + -hyperkit ./bin/hyperkit \ + -vpnkit ./bin/vpnkit \ + -data-file ./metadata.json \ + -networking=vpnkit \ + -vsock-ports=2376 \ + -disk size=4096M \ + -mem 2048 \ + -kernel dangerzone ``` -### Uninstall Docker Desktop - -Just to make sure it isn't interfering. Click the Docker systray icon > Troubleshooting > Uninstall, and then delete Docker from Applications. - - - - -### Old stuff - -Here's my attempts at installing from source, documented for posterity. +And see if it works: ```sh -mkir -p build bin - -# download pre-built linuxkit binary -cd bin -wget https://github.com/linuxkit/linuxkit/releases/download/v0.8/linuxkit-darwin-amd64 -chmod +x linuxkit-darwin-amd64 -cd .. - -# build hyperkit -cd build -wget https://github.com/moby/hyperkit/archive/refs/tags/v0.20210107.tar.gz -mv v0.20210107.tar.gz hyperkit-v0.20210107.tar.gz -tar -xf hyperkit-v0.20210107.tar.gz -cd hyperkit-0.20210107 -make -cp ../.. -ln -s build/hyperkit-0.20210107/build/hyperkit bin/hyperkit - -# install dependencies for vpnkit -brew install wget opam pkg-config -opam init # only need to run this if opam wasn't installed before - -# build vpnkit -cd build -# wget https://github.com/moby/vpnkit/archive/refs/tags/v0.5.0.tar.gz -wget https://github.com/micahflee/vpnkit/archive/refs/heads/ocaml-upgrade.tar.gz -mv ocaml-upgrade.tar.gz vpnkit-ocaml-upgrade.tar.gz -tar -xf vpnkit-ocaml-upgrade.tar.gz -cd vpnkit-ocaml-upgrade -make - -# uggh, I keep failing at this. going to switch to homebrew +./bin/docker -H unix://dangerzone-state/guest.00000948 ps +``` + +Inside the VM you can shutdown with `poweroff`. + +### Ooh, almost there + +``` +$ ./bin/docker -H unix://dangerzone-state/guest.00000948 run hello-world +Unable to find image 'hello-world:latest' locally +latest: Pulling from library/hello-world +b8dfde127a29: Pull complete +Digest: sha256:9f6ad537c5132bcce57f7a0a20e317228d382c3cd61edae14650eec68b2b345c +Status: Downloaded newer image for hello-world:latest +docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"process_linux.go:432: running prestart hook 0 caused \\\"fork/exec /proc/7/exe: no such file or directory\\\"\"": unknown. +ERRO[0003] error waiting for container: context canceled ``` diff --git a/rip_docker/dangerzone.yml b/rip_docker/dangerzone.yml index 67757b8..271b56f 100644 --- a/rip_docker/dangerzone.yml +++ b/rip_docker/dangerzone.yml @@ -27,7 +27,7 @@ onboot: # make a swap file on the mounted disk - name: swap image: linuxkit/swap:0028aeae2741d28120e4d2c6efcc5af003eae395 - command: ["/swap.sh", "--path", "/var/lib/swap", "--size", "1024M"] + command: ["/swap.sh", "--path", "/var/lib/swap", "--size", "1G"] # mount-vpnkit mounts the 9p share used by vpnkit to coordinate port forwarding - name: mount-vpnkit image: alpine:3.11 @@ -36,7 +36,7 @@ onboot: capabilities: - CAP_SYS_ADMIN rootfsPropagation: shared - command: ["sh", "-c", "mkdir -p /host_var/vpnkit/port && mount -v -t 9p -o trans=virtio,dfltuid=1001,dfltgid=50,version=9p2000 port /host_var/vpnkit"] + command: ["sh", "-c", "mkdir -p /host_var/vpnkit/port && mount -v -t 9p -o trans=virtio,dfltuid=1001,dfltgid=50,version=9p2000 port /host_var/vpnkit"] # move logs to the mounted disk (this is a temporary fix until we can limit the log sizes) - name: move-logs image: alpine:3.11 @@ -46,18 +46,22 @@ onboot: - name: dhcpcd image: linuxkit/dhcpcd:1033f340e2d42f86a60aab70752346f0045ea388 command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] + services: - # Enable acpi to shutdown on power events - - name: acpid - image: linuxkit/acpid:d2ddd88c7918466f875e7c5c3e527b51dfb0b0ea + # # Enable acpi to shutdown on power events + # - name: acpid + # image: linuxkit/acpid:d2ddd88c7918466f875e7c5c3e527b51dfb0b0ea + # Enable getty for easier debugging - name: getty image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101 env: - INSECURE=true - # Run ntpd to keep time synchronised in the VM - - name: ntpd - image: linuxkit/openntpd:66f25a516c7460f5e49195309cf276903741c428 + + # # Run ntpd to keep time synchronised in the VM + # - name: ntpd + # image: linuxkit/openntpd:66f25a516c7460f5e49195309cf276903741c428 + # VSOCK to unix domain socket forwarding. Forwards guest /var/run/docker.sock # to a socket on the host. - name: vsudd @@ -65,6 +69,7 @@ services: binds: - /var/run:/var/run command: ["/vsudd", "-inport", "2376:unix:/var/run/docker.sock"] + # vpnkit-forwarder forwards network traffic to/from the host via VSOCK port 62373. # It needs access to the vpnkit 9P coordination share - name: vpnkit-forwarder @@ -73,12 +78,15 @@ services: - /var/vpnkit:/port net: host command: ["/vpnkit-forwarder", "-vsockPort", "62373"] + # Monitor for image deletes and invoke a TRIM on the container filesystem - name: trim-after-delete image: linuxkit/trim-after-delete:ac6307a62c926a49a067d4de8667c2789b5ce2c9 - # When the host resumes from sleep, force a clock resync - - name: host-timesync-daemon - image: linuxkit/host-timesync-daemon:32fec3fc7d03e5600ef88526c8f187cf21e8e0cc + + # # When the host resumes from sleep, force a clock resync + # - name: host-timesync-daemon + # image: linuxkit/host-timesync-daemon:32fec3fc7d03e5600ef88526c8f187cf21e8e0cc + # Run dockerd with the vpnkit userland proxy from the vpnkit-forwarder container. # Bind mounts /var/run to allow vsudd to connect to docker.sock, /var/vpnkit # for vpnkit coordination and /run/config/docker for the configuration file. @@ -107,7 +115,11 @@ services: runtime: mkdir: ["/var/lib/docker"] -trust: - org: - - linuxkit - - library +# Definitely not ideal to comment this out, but this was throwing an error I couldn't get past: +# ERRO[0001] Metadata for targets/justin expired +# DEBU[0001] downloaded targets/justin.3be767f335e3367389eaae85739901f6e9c886995e752615adfe63ba5cb3cd34 is invalid: targets/justin expired at Thu Jun 11 16:05:18 +0200 2020 + +# trust: +# org: +# - linuxkit +# - library diff --git a/rip_docker/rip.py b/rip_docker/rip.py new file mode 100644 index 0000000..9e9ace4 --- /dev/null +++ b/rip_docker/rip.py @@ -0,0 +1,9 @@ +import docker + + +def main(): + client = docker.DockerClient(base_url="unix://dangerzone-state/guest.00000948") + + +if __name__ == "__main__": + main()