Container Runtime Configuration

The runtime configuration specifies how a container starts, information it has access to, and permissions it has on the host. It needs to be enabled for the settings underneath to have an effect.

Environment Variables

This section shows the currently configured environment variables for the container and also allows for a user to add/remove additional environment variables to the container after it's been created.

scoped variables form

To add additional environment variables to a container:

  • Add a environment variable to the environment variable fields.
  • Use the Add Variable button.
  • Repeat the last two steps until all the environment variables for this container have been added.
  • Press the Save Config button on the bottom right of the screen.

There are Cycle specific environment variables injected into each container. Find the full list here. Some of these will be instance specific, such as CYCLE_INSTANCE_IPV6_SUBNET.

Environment Variable Management

Environment variables defined on the image cannot be removed. Cycle interprets these as critical. However, their values can be changed, which may be useful for things such as specific development-only settings.

Command

The command section of the runtime configuration settings has options for overriding the startup command used to start the container and the containers configured working directory.

Startup Command

Path - Set an override to the default command run when the container starts.

Args - Any args for the override command.

Use " " 's to wrap arg entries. For example a path that is /bin/sh could have args set to:

"-c sleep '10' && ./script.sh"

Working Directory

Workdir - define the full path to be used when setting the containers working directory.

runtime command

Devices

Shared Host Memory Size - this section allows the user to override the default shared memory at /dev/shm.

Values can be entered in the following format: number size.

Example: 200M, 1G

runtime devices

SYSCTL & RLIMITS

Settings for sysctl fields and rlimits can be set as described in their associated man pages.

rlimits man page

sysctl man page

RootFS

This section has a single checkbox which gives the user a choice to make the containers filesystem read-only.

SECCOMP

Currently, seccomp is enabled on containers by default. To disable SECCOMP, a user must go to the container config > runtime settings and select the disable checkbox.

Host

The host section of the containers runtime config lists optional items that can be included which will interact with the underlying host the container is deployed to.

To expose the underlying host's /proc directory to the container, which will be visible at /var/run/cycle/host/proc in the container, check the box.

Toggling this setting off will remove the exposed filesystem from the host.

Privileges

These settings define exactly what privileges the container has on the host.

Namespaces - Namespaces define what is isolated in the container, and what is used on the host. The fewer namespaces a container has, the less secure it becomes. By default, a container has all namespaces enabled. At the least, they must have the MOUNT namespace. See here for detailed descriptions of the available namespaces.

Privileged Capabilities - Take granular control of specific kernel-level capabilities to a container for extra functionality. These can lead to interesting use cases, for example adding the CAP_NET_RAW capability, and building a containerized network monitoring dashboard. See here for detailed descriptions of the available kernel capabilities.

Fully Privileged - This gives the container full permissions on the host, tread carefully.

runtime privileges