Overview
This guide explains how to install the Cmd Control agent to a container image, then use it to launch, monitor, and control containerized applications. This enables you to monitor and control commands launched using the agent (and their descendants), as well as docker exec and kubectl exec commands.
Before reading this, you should understand how to automate agent deployment.
Prerequisite
Minimum software versions:
Fully supported on Cmd Control agents 1.4.0 and higher.
Beta support for these features started with Cmd Control agent version 1.3.7, which is suitable for testing them in non-production deployments.
Outline
After these instructions, there is a complete example of installing the agent on an Nginx server.
Step 1: Install dependencies & configure env. vars.
Install the following two dependencies :
“ca-certificates”, to enable SSL
“libcap2”, to manage process capabilities
Then, configure the following environment variables for each container:
Required:

Optional:

If you choose to define a server name, it can't exceed 128 characters, and must consist of the following:
- a-z
- A-Z
- 0-9
- space , _ , : , . , -
For more information about how to set environment variables using different orchestration tools, see the relevant documentation on:
Step 2: Install the agent with the Dockerfile
Add the agent package to the docker image:
ADD ccf-latest.amd64.deb /tmp/ccf-latest.amd64.deb
Install the package into the docker image (and clean up the installer):
RUN dpkg -i /tmp/ccf-latest.amd64.deb && rm /tmp/ccf-latest.amd64.deb
Step 3: Start the agent in the Container
ENTRYPOINT [“cmd_daemon”, “options”]
CMD [“command”, “args”]
If you use the -i option to the daemon, the command after the -i will have libinjector loaded, allowing the agent to monitor and control the process and its descendants.
For example:
ENTRYPOINT [“cmd_daemon”, “-i”]
CMD [“command”, “args”]
Step 4: Hook exec in the Container
When the environment variable LD_PRELOAD is set to libinjector.so, commands started via docker exec or kubectl exec will also be monitored and controlled.
LD_PRELOAD=libinjector.so
Complete Example:
In this example we build an Nginx server with Cmd installed.
Building the Dockerfile
In this example Dockerfile, two dependencies are installed, and then the latest version of the agent is installed. The final line uses the agent to run nginx.
FROM nginx:latest
RUN apt update && apt install -y ca-certificates libcap2
ADD ccf-latest.amd64.deb /tmp/ccf-latest.amd64.deb
RUN dpkg -i /tmp/ccf-latest.amd64.deb
ENTRYPOINT ["cmd_daemon", "-i"]
CMD ["nginx", "-g", "daemon off;"]
Building the Docker image
Make sure you have the correct version of the agent binary in the same directory as your Dockerfile (agent binaries can be found in the Cmd web app, under Project Settings > Agent), for example:
benironside$ ls
Dockerfile ccf-latest.amd64.deb
Make sure your dockerfile is correct, then build a Docker image (here called "cmdtest"):
docker build -t cmdtest .
For example:
$ docker build -t cmdtest .
Sending build context to Docker daemon 1.628MB
Step 1/5 : FROM nginx:latest
---> e445ab08b2be
Step 2/5 : RUN apt update && apt install -y ca-certificates libcap2
---> Using cache
---> 7769b9a7380f
Step 3/5 : ADD ccf-latest.amd64.deb /tmp/ccf-latest.amd64.deb
---> Using cache
---> 934b2b4dd57a
Step 4/5 : RUN dpkg -i /tmp/ccf-latest.amd.64.deb
---> Using cache
---> 00e7d918f48b
Step 5/5 : CMD ["cmd_daemon", "nginx", "-g", "daemon off;"]
---> Using cache
---> af5638a641a9
Successfully built af5638a641a9
Successfully tagged cmdtest:latest
$
Creating the Docker instance
Next, run your new Docker image:
docker run
-e "LD_PRELOAD=libinjector.so"
-e "CMD_PROJECT_KEY=<YOUR_PROJECT_KEY>"
-e "CMD_API_URL=https://<SUB>.c-app.cmd.com/ws"
-d cmdtest
(Replace <YOUR_PROJECT_KEY> with your Cmd project key, which can be found by following step one of the deployment guide, and replace <SUB> with your Cmd web app subdomain, for example: sub1 or sub2).
Don’t worry if you get some error messages, such as the following:
ERROR configParseProjKey:45 Error 2 opening /etc/cmd/cmd.prj:
No such file or directory
ERROR main:210 Error -2 importing project key file:
No such file or directory
Opening a bash shell in the container
To test that your container is working, open a new terminal window and run the following command to start a bash shell in your chosen container. (If you're not sure what YOUR_CONTAINER_NAME is, run "docker ps" to see all active Docker containers.)
docker exec -it $YOUR_CONTAINER_NAME bash
For example:
CONTAINER ID IMAGE COMMAND CREATED
a551f039ad7a cmdtest "cmd_daemon nginx -g…" 5 hours ago
STATUS PORTS NAMES
Up 5 hours 80/tcp cmdtest_container
$ docker exec -it cmdtest_container bash
You should now be able to see your session in the Cmd web app.
Running a command as a specific user
You can use the ‘-u’ flag to execute a command as a specific user (rather than root). This works similarly to the USER directive in a dockerfile. The specified user must be listed in ‘ /etc/passwd ’.
The syntax is:
-u <username>
or:
-u <uid>
For example:
docker exec -u user_name container_name bash