Go to Cmd
All Collections
Product Documentation
Agent installation guides
Container deployment guide — Cmd Control

Container deployment guide — Cmd Control

Use Cmd's launcher method to hook containerized applications
Ben Ironside avatar
Written by Ben Ironside
Updated over a week ago

Overview

This guide explains how to install the Cmd Control agent to a container image, then use it to launch, monitor, and control containerized applications. This enables you to monitor and control commands launched using the agent (and their descendants), as well as docker exec and kubectl exec commands.
 
Before reading this, you should understand how to automate agent deployment.


Prerequisite

Minimum software versions:

  • Fully supported on Cmd Control agents 1.4.0 and higher.

  • Beta support for these features started with Cmd Control agent version 1.3.7, which is suitable for testing them in non-production deployments.

 
Outline 

After these instructions, there is a complete example of installing the agent on an Nginx server.

 

Step 1: Install dependencies & configure env. vars.

Install the following two dependencies :

  • “ca-certificates”, to enable SSL

  • “libcap2”, to manage process capabilities

Then, configure the following environment variables for each container:

Required: 

Optional: 

If you choose to define a server name, it can't exceed 128 characters, and must consist of the following: 

- a-z
- A-Z
- 0-9
- space , _ , : , . , -


For more information about how to set environment variables using different orchestration tools, see the relevant documentation on:

 

Step 2: Install the agent with the Dockerfile

Add the agent package to the docker image:

ADD ccf-latest.amd64.deb /tmp/ccf-latest.amd64.deb 


Install the package into the docker image (and clean up the installer):

RUN dpkg -i /tmp/ccf-latest.amd64.deb && rm /tmp/ccf-latest.amd64.deb 

 
 

Step 3: Start the agent in the Container

ENTRYPOINT [“cmd_daemon”, “options”] 
CMD [“command”, “args”] 

If you use the -i option to the daemon, the command after the -i will have libinjector loaded, allowing the agent to monitor and control the process and its descendants.

For example: 

ENTRYPOINT [“cmd_daemon”, “-i”]
CMD [“command”, “args”]

 
 

Step 4: Hook exec in the Container

When the environment variable LD_PRELOAD is set to libinjector.so, commands started via docker exec or kubectl exec will also be monitored and controlled.

LD_PRELOAD=libinjector.so

 
 
 

Complete Example:

In this example we build an Nginx server with Cmd installed.
  

Building the Dockerfile

In this example Dockerfile, two dependencies are installed, and then the latest version of the agent is installed. The final line uses the agent to run nginx. 

FROM nginx:latest

RUN apt update && apt install -y ca-certificates libcap2

ADD ccf-latest.amd64.deb /tmp/ccf-latest.amd64.deb
RUN dpkg -i /tmp/ccf-latest.amd64.deb

ENTRYPOINT ["cmd_daemon", "-i"]
CMD ["nginx", "-g", "daemon off;"]

 

Building the Docker image

Make sure you have the correct version of the agent binary in the same directory as your Dockerfile (agent binaries can be found in the Cmd web app, under Project Settings > Agent), for example:

benironside$ ls
Dockerfile                       ccf-latest.amd64.deb

 
Make sure your dockerfile is correct, then build a Docker image (here called "cmdtest"):

docker build -t cmdtest .

 
For example:

$ docker build -t cmdtest .
Sending build context to Docker daemon 1.628MB
Step 1/5 : FROM nginx:latest
  ---> e445ab08b2be
Step 2/5 : RUN apt update && apt install -y ca-certificates libcap2
  ---> Using cache
  ---> 7769b9a7380f
Step 3/5 : ADD ccf-latest.amd64.deb /tmp/ccf-latest.amd64.deb
  ---> Using cache
  ---> 934b2b4dd57a
Step 4/5 : RUN dpkg -i /tmp/ccf-latest.amd.64.deb
  ---> Using cache
  ---> 00e7d918f48b
Step 5/5 : CMD ["cmd_daemon", "nginx", "-g", "daemon off;"]
  ---> Using cache
  ---> af5638a641a9
Successfully built af5638a641a9
Successfully tagged cmdtest:latest
$

   

Creating the Docker instance

Next, run your new Docker image:

docker run 
  -e "LD_PRELOAD=libinjector.so" 
  -e "CMD_PROJECT_KEY=<YOUR_PROJECT_KEY>"
  -e "CMD_API_URL=https://<SUB>.c-app.cmd.com/ws"
  -d cmdtest

(Replace <YOUR_PROJECT_KEY> with your Cmd project key, which can be found by following step one of the deployment guide, and replace <SUB> with your Cmd web app subdomain, for example: sub1 or sub2).

Don’t worry if you get some error messages, such as the following:

ERROR configParseProjKey:45 Error 2 opening /etc/cmd/cmd.prj: 
No such file or directory
ERROR main:210 Error -2 importing project key file: 
No such file or directory

  

Opening a bash shell in the container

To test that your container is working, open a new terminal window and run the following command to start a bash shell in your chosen container. (If you're not sure what YOUR_CONTAINER_NAME is, run "docker ps" to see all active Docker containers.) 

docker exec -it $YOUR_CONTAINER_NAME bash


For example:

CONTAINER ID      IMAGE        COMMAND                   CREATED     
a551f039ad7a      cmdtest      "cmd_daemon nginx -g…"    5 hours ago  

STATUS              PORTS               NAMES
Up 5 hours          80/tcp              cmdtest_container
$ docker exec -it cmdtest_container bash

You should now be able to see your session in the Cmd web app.
 

Running a command as a specific user

You can use the ‘-u’ flag to execute a command as a specific user (rather than root). This works similarly to the USER directive in a dockerfile. The specified user must be listed in ‘ /etc/passwd ’. 

The syntax is:

-u <username> 

or: 

-u <uid>


For example:

docker exec -u user_name container_name bash

 

Did this answer your question?