The goal of this project is to define a set of image label metadata and launcher tooling that understands said metadata to provide for smooth experience running containerized applications with tight integration with the host operating system.
[hɑɪkː]
The goal of this project is to define a set of image label metadata and launcher tooling that understands said metadata to provide for smooth experience running containerized applications with tight integration with the host operating system.
pip install docker-hica
Versioned specification of all labels can be found in docs/labels.md
Guidelines for Dockerfiles can be found in docs/dockerfile-guidelines.md
SELinux usage is documented in docs/selinux.md
Examples directory currently contains several example Dockerfiles:
jqfirefox-testingsignifyopengl-testingtest-descriptionPlease refer to README.md in each particular subdirectory for more information.
The straightforward way is to simply:
$ cd examples/example
$ docker build -t example .
$ docker-hica example
Let's overview the basic stuff:
$ docker-hica --help
usage: docker-hica [-h] [--show-args] [--test-injectors] [--verbose] [--yes]
[--selinux-label SELINUX_LABEL] [--user USER]
hica_app_name ...
positional arguments:
hica_app_name
named_action
optional arguments:
-h, --help show this help message and exit
--show-args show possible arguments for the specified
"hica_app_name"
--test-injectors executes injector tests for specified "hica_app_name"
--verbose print additional information
--yes bypass the capability review check
--selinux-label SELINUX_LABEL
provide a confinement context
--user USER user:group to run as (1000:1000)
The --show-args flag allows for displaying configurable parameters for image injectors, so
to see what parameters can be passed to the examples/firefox image, execute:
$ docker-hica --show-args firefox:1.0
usage: docker-hica [-h] [--show-args] [--verbose] [--yes]
[--machine-id-path MACHINE_ID_PATH]
[--xsocket-path XSOCKET_PATH]
[--x-display-num X_DISPLAY_NUM]
hica_app_name ...
When --verbose is specified, the Docker command is also printed out during execution:
$ docker-hica --verbose firefox:1.0
The container requests the following capabilities:
- Bind mounts current working directory (/Repos/docker-hica) into the container
- Bind mounts machine-id into the container
- Bind mounts XSocket into the container
Proceed? [y/Y/n]: y
Executing: docker run -i -u 1000:1000 --volume /Repos/docker-hica:/Repos/docker-hica -w /Repos/docker-hica --volume /etc/machine-id:/etc/machine-id --volume /tmp/.X11-unix:/tmp/.X11-unix -e DISPLAY=:0 firefox:1.0
And finally the --yes flag allows for skipping the initial prompt for confirmation as seen on the example above.
This option is dangerous, future versions will treat 'Y' in the prompt response as 'Yes and remmber', so that
the initial capability request is reviewed at least once.
FAQs
The goal of this project is to define a set of image label metadata and launcher tooling that understands said metadata to provide for smooth experience running containerized applications with tight integration with the host operating system.
We found that docker-hica demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.