Container Optimized OS Examples

Question

I've followed all the documentation here: https://cloud.google.com/container-optimized-os/docs/ to try to upgrade my existing configuration that used container-vm images that have now been deprecated, to a new configuration using container-optimized OS. But nothing works! I can't get the Docker container to bind to port 80 (ie. -p 80:80) and also my Docker container can't seem to write to /var/run/nginx.pid (yes I'm using nginx in my Docker container). I followed the instructions to disable AppArmour and I've also tried creating an AppArmour profile for nginx. Nothing works! Are they any examples out there using container-optimized OS that don't just use busybox image and print "Hello World" or sleep! How about an example that opens a port and writes to the file system?

-v 80:80 should be -p 80:80 .. typo? – koma Nov 07 '17 at 22:48 — koma, Nov 07 '17 at 22:48

score 3 · Answer 1 · answered Nov 01 '17 at 20:22

I just installed Apache Guacamole on Container Optimized OS and it works like a charm. There are some constraints in place for security.

The root filesystem ("/") is mounted as read-only with some portions of it re-mounted as writable, as follows:

/tmp, /run, /media, /mnt/disks and /var/lib/cloud are all mounted using tmpfs and, while they are writable, their contents are not preserved between reboots.
Directories /mnt/stateful_partition, /var and /home are mounted from a stateful disk partition, which means these locations can be used to store data that persists across reboots. For example, Docker's working directory /var/lib/docker is stateful across reboots.
Among the writable locations, only /var/lib/docker and /var/lib/cloud are mounted as "executable" (i.e. without the noexec mount flag).

If you need to accept HTTP (port 80) connections from any source IP address, run the following commands on your Container-Optimzied OS instance:

sudo iptables -w -A INPUT -p tcp --dport 80 -j ACCEPT

In general, it is recommended you configure the host firewall as a systemd service through cloud-init.

PS: Container-Optimized OS is capable of auto updates. This mechanism can be used to update a fleet of Compute Engine instances.

Thanks. I believe I couldn't even bind to 80... I'll take a look tonight. — dgrant, Nov 07 '17 at 02:37
I am binding to port 80 without issue, that is I am port mappning a service in Docker to port 80 using -p 80:8080. — koma, Nov 07 '17 at 22:46

score 1 · Answer 2 · answered Nov 06 '19 at 00:53

I can't get the Docker container to bind to port 80 (ie. -p 80:80) and also my Docker container can't seem to write to /var/run/nginx.pid (yes I'm using nginx in my Docker container).

I think you might be hitting some GCE firewall problem. The best way would be to verify/debug it step by step:

Try running a stupidly simple nginx container: "-d" asks Docker to run it in daemon mode, "-p 80:80" maps the HTTP port, and "--name nginx-hello" names to container to nginx-hello.
```
docker run -d --name nginx-hello -p 80:80 nginx
```
(optional) Verifies that the container is running correctly: You should see the "nginx-hello" container listed.
```
docker ps
```
Verifies that nginx is working locally: You should see a good HTTP response.
```
curl localhost:80
```

If you are able to verify all the above steps correctly, then you would likely be facing a GCE firewall problem:

How do I enable http traffic for GCE instance templates?

Container Optimized OS Examples

2 Answers2