The goodfellas
OpenBSD, last time, meet a good friend in the alps, Alpine Linux, ¿do you remember?
After four days of titties & beer , they decides to meet another friend, a blue whale, his name is Docker.
¿Who is Docker?
Docker is a software technology providing containers, promoted by the company Docker, Inc. Docker provides an additional layer of abstraction and automation of operating-system-level virtualization on Windows and Linux. Docker uses the resource isolation features of the Linux kernel such as cgroups and kernel namespaces, and a union-capable file system such as OverlayFS and others to allow independent "containers" to run within a single Linux instance, avoiding the overhead of starting and maintaining virtual machines (VMs).
The Linux kernel's support for namespaces mostly isolates an application's view of the operating environment, including process trees, network, user IDs and mounted file systems, while the kernel's cgroups provide resource limiting, including the CPU, memory, block I/O, and network. Since version 0.9, Docker includes the libcontainer library as its own way to directly use virtualization facilities provided by the Linux kernel, in addition to using abstracted virtualization interfaces via libvirt, LXC (Linux Containers) and systemd-nspawn.
OpenBSD, Alpine linux and Docker
Always remembering russian Matryoshka, we've decided to add another layer of virtualization to our workstation searching how to build adblock2privoxy in OpenBSD. Retaking our last video tutorial we've got Alpine linux correctly installed in a virtual environment in a OpenBSD host. Now we've to adjust some parameters in Alpine to finish the installation:
Add the virtual machine in automatic boot with the host OS:
# cat >> /etc/vm.conf <<EOF
vm "screencast" {
memory 2048M
disk "/home/taglio/Virtual/alpine-screencast.img"
interface { switch "local" }
}
EOF
#
$ doas rcctl restart vmd
Connect to the serial console, press ENTER
to boot the default initramfs
and kernel
and customize syslinux
bootloader and enable the community repository of apk
packet manager:
alpine# cat /boot/extlinux.conf
SERIAL 0 115200
DEFAULT virthardened
PROMPT 0
LABEL virthardened
MENU LABEL Linux virthardened
LINUX vmlinuz-virthardened
INITRD initramfs-virthardened
APPEND root=UUID=ebf73ff9-7df6-463d-915f-0ab84f5e11e9 modules=sd-mod,usb-storage,ext4 quiet rootfstype=ext4
MENU SEPARATOR
alpine# cat /etc/apk/repositories
http://nl.alpinelinux.org/alpine/v3.7/main
http://nl.alpinelinux.org/alpine/v3.7/community
#
Doing so Alpine will reboot automatically without the need of press ENTER
in syslinux
prompt.
Generate root
OpenBSD ssh keys and add to the root
authorized_keys
in the virtual Alpine:
$ doas su
# ssh-keygen
# ssh 10.1.10.2 mkdir /root/.ssh
# scp ./ssh/id_rsa.pub 10.1.10.2:/root/.ssh/authorized_keys
Upgrade Alpine packages and install our new friend, Docker:
alpine# apk update && apk upgrade
alpine# apk add docker
Configure Alpine openrc
, the Gentoo antagonist of the hugly infamous systemd, to boot on start our Docker.
alpine# rc-service docker start
alpine# rc-update add docker default
adblock2privoxy Docker configuration
Docker container is a extremely flexible software. Have got thousand of different possible uses and configurations. And a deep dive into it will require an entire new series of articles (asap we will analyze it).
The most important think to understand, he has got a public internet libraries from where you can pool
a system operative image
into our local system. After pulling the correct one we can automate a serie of operation every time we build
one of them into a container
. I know...there's many new types of concepts here, but with practice it will be simple. Containers are super flexibles because for every command defined in a special file called Dockerfile
they save a subcontainer in a overlay
filesystem.
This is the Dockerfile
that we're going to use in this project:
alpine# mkdir docker
alpine# cat > Dockerfile << EOF
FROM debian:8
MAINTAINER Riccardo Giuntoli <r.giuntoli@protonmail.ch>
RUN apt-get update
RUN apt-get -y upgrade
RUN apt-get -y install wget
WORKDIR /root
RUN mkdir privoxy
RUN mkdir lists
RUN wget https://s3.amazonaws.com/ab2p/adblock2privoxy_1.4.2_amd64.debian8.deb
RUN dpkg -i adblock2privoxy_1.4.2_amd64.debian8.deb
RUN wget -O lists/easyprivacy.txt https://easylist.to/easylist/easyprivacy.txt
RUN wget -O lists/easylist.txt https://easylist.to/easylist/easylist.txt
RUN wget -O lists/antiadblockfilters.txt https://easylist-downloads.adblockplus.org/antiadblockfilters.txt
RUN wget -O lists/malwaredomains_full.txt https://easylist-downloads.adblockplus.org/malwaredomains_full.txt
RUN wget -O lists/adblock-list.txt https://raw.githubusercontent.com/Dawsey21/Lists/master/adblock-list.txt
RUN adblock2privoxy -p ./privoxy lists/easyprivacy.txt lists/easylist.txt \
lists/antiadblockfilters.txt lists/malwaredomains_full.txt lists/adblock-list.txt
RUN tar -cvzf privoxy.tgz privoxy/
Let's dive a little bit into this Dockerfile
:
FROM
: key to specify baseimage
where start to compile thecontainer
, in this key is a debian machine, stable version number 8, codename jessie.MANTAINER
: simply the owner of thisDockerfile
.RUN
:exec
commands in the virtual debian environment.WORKDIR
: change the working directory.
In this specific docker application you can see that we download and install our adblock2privoxy software, download bad boys list maintained buy the guys of easylist.to, give to adblock2proxy and pack the result in a tar.gz
archive.
Automatic OpenBSD, Alpine and Docker process
Our goal is the automatize all the process and every week update ours privoxy rules. We've got an environment with three distinct system operatives, one OpenBSD and two Linux, it's like an orgy.
Let's start to create a little ash
script in our Alpine:
alpine# mkdir bin
alpine# cat > bin/automatic_docker.sh <<EOF
cd docker/ && docker build -t adblock2privoxy-bootstrap:final .
ASDF=`docker run -d -t adblock2privoxy-bootstrap:final /bin/bash`
docker cp $ASDF:/root/privoxy.tgz .
docker system prune -f
docker stop $(docker ps -a -q)
docker rm $(docker ps -a -q)
docker rmi $(docker images -q)
EOF
docker build
: Build an image from a Dockerfile.docker run
: Run a command in a new container.docker system prune
: Remove unused data.docker stop
: Stop one or more running containers.docker rm
: Remove one or more containers.docker rmi
: Remove one or more images.docker ps
: List containers.docker images
: List images.
Next combine it with a little ksh
magic in our OpenBSD:
#/bin/sh
ssh 10.1.10.2 rm -rf /root/docker/privoxy.tgz
ssh 10.1.10.2 sh /root/bin/automatic_docker.sh
scp 10.1.10.2:/root/docker/privoxy.tgz /etc/privoxy/adblock2privoxy.tgz
cd /etc/privoxy/
tar zxvf adblock2privoxy.tgz
Very basic, i know, it simply remove old output, run the Alpine script, copy and untar
the output in our privoxy directory.
Just add a crontab
weekly script in OpenBSD and indicate to the three browsers to do the things work like a charm.
# crontab -l | tail -n 1
5 12 * * 2 /bin/sh /root/bin/automatic_adblock2privoxy.sh
#
# cat >> /etc/privoxy/firefox <<EOF
actionsfile adblock2privoxy/ab2p.system.action
actionsfile adblock2privoxy/ab2p.action
filterfile adblock2privoxy/ab2p.system.filter
filterfile adblock2privoxy/ab2p.filter
EOF
# cat >> /etc/privoxy/chrome <<EOF
actionsfile adblock2privoxy/ab2p.system.action
actionsfile adblock2privoxy/ab2p.action
filterfile adblock2privoxy/ab2p.system.filter
filterfile adblock2privoxy/ab2p.filter
EOF
# cat >> /etc/privoxy/torbrowser <<EOF
actionsfile adblock2privoxy/ab2p.system.action
actionsfile adblock2privoxy/ab2p.action
filterfile adblock2privoxy/ab2p.system.filter
filterfile adblock2privoxy/ab2p.filter
EOF
And with this triple cat i remember to you all that the wind of changes is blowing.
i love you,
Wow that is allot of effort to get docker running on OpenBSD. Which I guess is a good thing. I'm a huge OpenBSD fan, but for some things which are more on the Linux side I use FreeBSD. As far as I know you can run Docker on FreeBSD without having to virtualize anything. From what I understand you are virtualizing Linux on OpenBSD and running docker on top of the virtualized Linux right?
yes @netscape101 !
And it work quite good. Try it! Let's keep in touch!
r.giuntoli@protonmail.ch
if you want to write to me.Thank you for the reply.
Nice too meet you.
Cool thanks sent you a mail.
@originalwork
@originalworks