CernVM as a Docker Container
The CernVM docker container resembles the µCernVM idea in docker. It consists mainly of a busybox and the parrot sandboxing tool. The rest of the operating system is loaded on demand. Note that newer versions of docker prevent the use of the
ptrace() call, which is required for parrot. This needs to be explicitly allowed by the
--security-opt seccomp:unconfined parameter to
docker run ...
Alternatively, it is possible to bind mount the cvmfs operating system repository into the docker container, and then the container will automatically use this instead of parrot.
Limitations of the CernVM Docker Container
The CernVM docker container is a runtime environment only. It can be used to start arbitrary commands “dockerized” in CernVM. Due to its internal mechanis, it cannot be used, however, as a base image to create derived Docker containers, e.g. with a
Instead you can wrap the setup commands that would be part of the
Dockerfile into a script and pass this script as parameter to the
/init command line (see below). The script can be bind mounted into the container with the
-v option, like
docker run --security-opt seccomp:unconfined -v /path/to/script:/bootstrap ... \ /init /bootstrap/script.sh
Importing and Running the Container
In order to import the image, ensure that the docker service is running and execute
cat <CernVM Docker tarball> | docker import - my_cernvm
In order to start an interactive shell, run
docker run --security-opt seccomp:unconfined -it my_cernvm /init
The initial command always needs to be
/init, but any other command can be appended, for instance
docker run --security-opt seccomp:unconfined -it my_cernvm /init ls -lah
In case CernVM-FS is mounted on the docker host, it is possible to help the container and bind mount the operating system repository like
docker run -v /cvmfs/cernvm-prod.cern.ch:/cvmfs/cernvm-prod.cern.ch ...
In this case, there is no Parrot environment. Every repository that should be available in the docker container needs to be mapped with another
-v ... parameter. Note: the cernvm-prod.cern.ch repository (or other OS hosting cvmfs repositores) should be mounted with the
CVMFS_CLAIM_OWNERSHIP=no option. You can create a file
/etc/cvmfs/config.d/cernvm-prod.cern.ch.local and add the configuration parameter. This will ensure that
sudo works in your docker container.
The image can be further contextualized by environment variables. To turn on more verbose output:
docker run --security-opt seccomp:unconfined -e CERNVM_DEBUG=1 -e PARROT_OPTIONS="-d cvmfs" -it ...
To use another operating system provided by CernVM-FS:
docker run --security-opt seccomp:unconfined -e CERNVM_ROOT=/cvmfs/cernvm-sl7.cern.ch/cvm4 -it ...
docker run --security-opt seccomp:unconfined -e CERNVM_ROOT=/cvmfs/cernvm-slc5.cern.ch/cvm3 -it ...
docker run --security-opt seccomp:unconfined -e CERNVM_ROOT=/cvmfs/cernvm-slc4.cern.ch/cvm3 -it ...
Standard LHC cvmfs repositories are present by default, other repositories can be added with
docker run --security-opt seccomp:unconfined -e PARROT_CVMFS_REPO=" \ <REPONAME>:url=<STRATUM1-URL>,pubkey=/UCVM/keys/<KEYNAME> \ <REPONAME>: ..."
The corresponding public key needs to be stored in the container under /UCVM/keys first.