Managing the Lifecycle of a Secure Container

Starting a Secure Container

You can use the Docker engine or iSulad as the container engine of the secure container. The invoking methods of the two engines are similar. You can select either of them to start a secure container.

To start a secure container, perform the following steps:

  1. Ensure that the secure container component has been correctly installed and deployed.

  2. Prepare the container image. Assume that the container image is busybox. Run the following commands to download the container image using the Docker engine or iSulad:

    docker pull busybox
    
    isula pull busybox
    
  3. Start a secure container. Run the following commands to start a secure container using the Docker engine or iSulad:

    docker run -tid --runtime kata-runtime --network none busybox <command>
    
    isula run -tid --runtime kata-runtime --network none busybox <command>
    

    NOTE:
    The secure container supports the CNI network only and does not support the CNM network. The -p and –expose options cannot be used to expose container ports. When using a secure container, you need to specify the –net=none option.

  4. Start a pod.

    1. Start the pause container and obtain the sandbox ID of the pod based on the command output. Run the following commands to start a pause container using the Docker engine or iSulad:

      docker run -tid --runtime kata-runtime --network none --annotation io.kubernetes.docker.type=podsandbox <pause-image> <command>
      
      isula run -tid --runtime kata-runtime --network none --annotation io.kubernetes.cri.container-type=sandbox <pause-image> <command>
      

        

    2. Create a service container and add it to the pod. Run the following commands to create a service container using the Docker engine or iSulad:

      docker run -tid --runtime kata-runtime --network none --annotation io.kubernetes.docker.type=container --annotation io.kubernetes.sandbox.id=<sandbox-id> busybox <command>
      
      isula run -tid --runtime kata-runtime --network none --annotation io.kubernetes.cri.container-type=container --annotation io.kubernetes.cri.sandbox-id=<sandbox-id> busybox <command>
      

      –annotation is used to mark the container type, which is provided by the Docker engine and iSulad, but is not provided by the open-source Docker engine in the upstream community.

Stopping a Secure Container

  • Run the following command to stop a secure container:

    docker stop <contaienr-id>
    
  • Stop a pod.

    When stopping a pod, note that the lifecycle of the pause container is the same as that of the pod. Therefore, stop service containers before the pause container.

Deleting a Secure Container

Ensure that the container has been stopped. Run the following command to delete the container:

docker rm <container-id>

To forcibly delete a running container, use the -f option:

docker rm -f <container-id>

Running a New Command in the Container

The pause container functions only as a placeholder container. Therefore, after a pod is started, run the new command in the service container. The pause container does not execute the corresponding command. If you need to start only one container, you can run the following command:

docker exec -ti <container-id> <command>

NOTE:

  1. If the preceding command has no response because another host is running the docker restart or docker stop command to access the same container, you can press Ctrl+P+Q to exit the operation.
  2. If the -d option is used, the command is executed in the background and no error information is displayed. The exit code cannot be used to determine whether the command is executed correctly.

有奖捉虫

“有虫”文档片段

存在的问题

提交类型 issue
有点复杂...
找人问问吧。
PR
小问题,全程线上修改...
一键搞定!
问题类型
规范和低错类

● 错别字或拼写错误;标点符号使用错误;

● 链接错误、空单元格、格式错误;

● 英文中包含中文字符;

● 界面和描述不一致,但不影响操作;

● 表述不通顺,但不影响理解;

● 版本号不匹配:如软件包名称、界面版本号;

易用性

● 关键步骤错误或缺失,无法指导用户完成任务;

● 缺少必要的前提条件、注意事项等;

● 图形、表格、文字等晦涩难懂;

● 逻辑不清晰,该分类、分项、分步骤的没有给出;

正确性

● 技术原理、功能、规格等描述和软件不一致,存在错误;

● 原理图、架构图等存在错误;

● 命令、命令参数等错误;

● 代码片段错误;

● 命令无法完成对应功能;

● 界面错误,无法指导操作;

风险提示

● 对重要数据或系统存在风险的操作,缺少安全提示;

内容合规

● 违反法律法规,涉及政治、领土主权等敏感词;

● 内容侵权;

您对文档的总体满意度

非常不满意
非常满意
创Issue赢奖品
根据您的反馈,会自动生成issue模板。您只需点击按钮,创建issue即可。