Container Confession

Hi, my name is Jason and I use containers in other containers and I’m unhappy that I can’t run even other containers inside of those.

I’m not a big fan of Canonical’s snapd¬†application containers, but they have one application there that I can’t get anywhere else for openSUSE outside of building it all from source and that is LXD. LXD is a hypervisor for Linux Containers a.k.a. LXC. With LXD, I can create full system containers that have much of the same functionality as VMs without the virtualization overhead and unlike Docker application containers, it provides a full environment to work in, not just enough to run one application.

My goal is to use LXD to create very quick and small environments to play with new tools in a safe sandbox. If I screw something up, I can create a new VM in less than 10 seconds or revert it to a previous save state even quicker instead of the time it takes to do the same in Virtualbox or KVM.

One of the things that I would like to do is play with Docker containers in my LXC container that is running in a snapd container. Well, that just doesn’t work. Mostly apparmor is confused and by default, it is doing it’s job.

root@docker-test:~# docker run -it hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
ca4f61b1923c: Pull complete
Digest: sha256:97ce6fa4b6cdc0790cda65fe7290b74cfebd9fa0c9b8c38e979330d547d22ce1
Status: Downloaded newer image for hello-world:latest
docker: Error response from daemon: Could not check if docker-default AppArmor profile was loaded: open /sys/kernel/security/apparmor/profiles: permission denied.

So, that’s what I’m playing with today. If I get it to work, I’ll post it here.

My SSH Trick

10 hours of jetlag and rainy afternoon naps don’t mix. It’s 2 minutes to 2AM here in Provo, UT and I can’t sleep so I’m blogging.

I want to ssh into a machine that doesn’t have any external IP. In the case of my situation at home, I get a 192.168… IP from my ISP because of a shared connection. In other cases, I have VM’s with natted IP’s that also have no direct way in.

I could pay for a VPN service and vpn into these machines, but instead I’m using a free way of doing it. I use Tor.

Here’s how it works, the Tor service reaches out to the Tor network and is listening on port 22 (or whatever port I choose for ssh) for incoming requests. I use “torsocks ssh zzzzzzzzz.onion” from my laptop and I am in. This bypasses the external internet and gives me a pretty secure route from my laptop to my home machine only via Tor.

Here’s how I set it up with OpenSUSE

On your remote or inaccessible server:

$ sudo zypper in tor

This installs the tor service and the torsocks proxy app.

$ sudo vim /etc/tor/torrc

Uncomment the following lines:

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 22
$sudo systemctl start tor

The service is now started and you should have a new .onion address

$ cat /var/lib/tor/hidden_service/hostname

On your local machine/laptop/etc:

$ sudo zypper in tor
$ sudo systemctl start tor
$ torsocks ssh xxxxxxxxx.onion

This is a cool trick. Of course you can use it on any server/VM/etc even if they do have accessible IP’s. In those cases, I suggest that you close the firewall on port 22 and allow it to be only accessible via Tor. There is no need to have extra ports open to the internet.

Using Tor is a great way to add security to your network communication. In addition to the SSH encryption, the packets have additional encryption due to the nature of how Tor works.

About privacy. You also benefit from the inherent privacy of the Tor network which you might not get if you believe that your ISP, etc is gathering data on it’s users. If they are monitoring packets are that interested, they can probably see that you are using Tor but they can’t see what you are doing or where you are connecting. Is it more or less private that using the Tor Browser? I don’t know. It’s worth looking into. My feeling is that since ssh is low-bandwidth, has no possible extra problems that browsers have such as javascript, vulnerabilities, etc. it probably is as safe or safer.

Anyway, I hope this helps people out if you’re like me and have to make do with an ISP that makes using the web just a little harder.

One last thing. Tor is more laggy than a straight connection. You’re not doing anything wrong, it’s just a side-effect of how this all works.