How do I run the equivalent of this docker run cmd on fly? - no access to docker runtime IPC?

docker run --name=example-agent
“–ipc=host”
“-v=/etc/cp/conf”
“-v=/etc/cp/data”
“-v=/var/log/nano_agent”
“-it”
“-d”
“ghcr.io/example/class:latest” “/cp-example-agent” “–token” “12345abc”

I figured some of it out. In my toml section using the experimental block code, I can pass the arguments

This works for the last part and volumes can also be configured in the toml file.

However, , I don’t know how to pass the --ipc=“host” runtime argument.

Edit: Just going through docs and I cannot find a way to pass docker runtime options. Is this true?

I think in order to resolve this problem, we need the ipc runtime param to be configurable which fly doesn’t allow at the moment.

Hi @tanktusSui, Fly.io doesn’t use Docker to run customer code; your apps run in VMs (“Fly Machines”). If you say more about what you needed the --ipc="host" option for, someone here may have a suggestion as to how to accomplish the desired effect using Machines.

Im trying to deploy this. https://docs.openappsec.io/getting-started/start-with-docker/install-with-docker-centrally-managed
Its the open-appsec solution.
Everything seems to be fine except for this ipc=host part.

I would seriously appreciate it if someone could help me with this lol.

Hey I was taking a look at this then realized why they use --ipc host.

It appears the nginx and agent are sharing memory so the agent is aware of the interactions happening in nginx. The Linux install docs make that a bit clearer, but it’s also why it’s not obvious how the two containers are aware of each other in the Docker docs - other than the ipc=host arg.

Unfortunately running this in the exact style they describe using two containers isn’t possible because fly machines don’t share memory.

One option you could explore is a bit of hybrid, perhaps.

You might be able to use the linux instructions to write a dockerfile that boots both the agent and nginx on one machine.

I wrote a dockerFile that does this but this is the error I get on my machine now. It seems to be just restarting/shutting down.

2024-01-06_10h40_101920×642 125 KB

I’m suspecting this is because of the docker entrypoint isnt specified in my sh file?

#!/usr/bin/expect -f

# Expect the prompt and send "ignore"
spawn sh -c "./open-appsec-install --auto --token 12345bc"

# Set a timeout for the prompt
set timeout 60

# Expect and handle the prompt at any time during execution
expect {
   -re "Add your email to receive important security updates and so you can approach us with technical questions.*" {
       send "IGNORE\r"
   }
   timeout {
       send_error "Timed out waiting for the prompt\n"
       exit 1
   }
}

# Continue handling any further prompts that may appear
expect {
   -re "Add your email to receive important security updates and so you can approach us with technical questions.*" {
       send "ignore\r"
       exp_continue
   }
   eof {
       # Command has finished executing
   }
   timeout {
       send_error "Timed out waiting for the prompt\n"
       exit 1
   }
}

If I do exec sh -c “/docker-entrypoint.sh start” at the end of the sh file… it says it can’t find it.

The key message in the above:

Main child exited normally with code: 0

Try adding a call to Process.wait.

I added

wait

exit

to the end of the file and that didn’t work. Not sure what else I can do.

I removed wait and exit and added

# Sleep for a short duration to prevent excessive CPU usage
after 1000

# Enter an infinite loop to keep the script running
while {1} {
    # Sleep for a short duration to prevent excessive CPU usage
    after 1000
}

at the end of the file and this appears to work, my app is running, but I’m no longer seeing any logs as its just sleeping here.

The aspect to consider is that the ubuntu docker image doesnt actually do anything which is why its necessary to add

# Add the tail -f /dev/null command to keep the container running
exec tail -f /dev/null

or sleep infinity to prevent it from shutting down

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.