stage1: support interactive containers

[iaguis]

By using systemd's StandardInput option we set /dev/console in stage1
as the tty for the app (see systemd.exec(5)). This makes interactive
executables like bash work with rkt run (or prepare+run-prepared).

This is only supported if the container has only one app.

Fixes #562

[alban]

Can we add the same for StandardOutput? The default of StandardOutput is journal. I'm not sure how it works, maybe the journal is redirected to /dev/console, which systemd-nspawn has created as a pseudoterminal.

[jonboulle]

Yeah, see here

[iaguis]

Thanks for the reviews!

[jonboulle]

return filepath.Join(AppImagesPath(root), types.ShortHash(imageID.String())

[jonboulle]

One nit but LGTM; @vcaputo could you please take another look?

[vcaputo]

LGTM

[jonboulle]

awesome, thanks again @iaguis

[prabhuinbarajan]

my apologies for chiming into this thread really late. I have a couple of questions around the interactive mode. Is there a way to disable support for interactive mode for rocket containers? If I would like my containers to be not accessed interactively at or after they launched , what would be my best option?

[alban]

@prabhuinbarajan you can just not use --interactive and it will not be interactive, meaning you will not be able to type into the application. And to run rkt in the background without seeing the output on the terminal, you can start rkt with systemd-run as explained in the guide "Using rkt with systemd".

[prabhuinbarajan]

@alban , thanks. Sorry, my earlier query was unclear to begin with - so let me give you my context. I am trying to get to a state where neither my container management run time , nor containers support any ability to ssh / terminal access. In the docker world, the equivalent of this seems to be the docker attach, docker run commands that seems to provide the ability to modify the container state (atleast theoretically) after the container is deployed.

I may not be describing this accurately , but if we were to compose a ideal 12 factor app, it is my humble opinion that the container management runtime would not need the ability to support interactive shells.

Bizzare as it might seem, reason for this is certain industry segments (ex: fintech) where regulatory requirements such as PCI require hard proof of access, ability to prove that the container states were not modified post deploy etc. An appropriate balance might be if rkt at compile time can take an option on whether or not to support interactive , that would be ideal. if the request seems fair to you, i would be happy to submit a PR.

Also would love to hear your thoughts on whether appc would have some security guidance around interactive containers.

[alban]

rkt run --interactive is more the equivalent of docker run --tty --interactive. After a rkt pod has been started, it's not possible to add --interactive to the already-running pod. This is not related to docker attach.

rkt does not support the equivalent of docker attach, although there is an issue open to add that: #1799

I am not familiar with those regulatory requirements and I am not sure to understand what that would involve. Could you open a new issue to discuss this?

/cc @mjg59

[jonboulle]

@prabhuinbarajan that actually fits very nicely with rkt's design/goals - from the beginning we've not emphasised features like interactive mode (arguably, at the expense of usability), because we intend rkt be used in environments where it shouldn't be necessary (and as you note is in some cases actively discouraged or forbidden)

I'd definitely be receptive to a patch making it configurable at build time. I'm not really sure whether this should be specifically for just this flag or more general.