Managing your runtime environments
When klee run
is executed, a container is created and a process is started
within that container. The process runs in an isolated
environment with its own file system, its own networking, and its own isolated
process tree separate from the host.
In FreeBSD terminolgy, the process is ‘jailed’ (using the jail kernel functionalty) and it can be managed using native FreeBSD tooling. Some of these is being used by Kleene under the hood, but some of the tools can be relevant to use alongside Kleene as well.
The degree of isolation can be adjusted in many ways, and will be discussed in the following sections.
Creating and running containers
The most common way of using containers with the client is to use the command
klee run
.
This command combines klee container create
and
klee container start
.
Therefore, running
$ klee container create FreeBSD echo Hello!
433b69dfc748
$ klee container start 433b
created execution instance 1671b5124e42
Hello!
executable 1671b5124e42 and its container exited with exit-code 0
and
$ klee run FreeBSD:testing echo Hello!
24644efab9a3
created execution instance f2f4d2ef6c26
Hello!
executable f2f4d2ef6c26 and its container exited with exit-code 0
are equivalent. A few things to notice with these two examples:
-
In both cases, Kleene generated a unique ID for the container when it was created, and printed it to the user on the first line. Since no name was set with
--name
, Kleene autogenerated one for the container, but did not print it. Runklee lsc -a
to see the names of the containers. -
Kleene also created an execution instance when the container is started. An execution instance is a ephemeral object in Kleene that represents a spawned process. A running container can have more than one execution instance and the user can create more with Klee using
klee exec
. -
When starting the container manually, it is enough to refer to the container using an initial segment of the ID, as long as it is unique across all container ID’s. You can also refer to a container by it’s name, however, then the entire name must be used.
-
Lastly, the containers have connectivity using the
host
network driver, since no network driver was specified (with--network-driver
/-l
) when the containers were created. It is recommended to use networks instead, and an easy way to get started with networks is by going through the Get started guide. Many more details are given in the networking section.
Detached vs. foreground
By default, a container runs in the foreground and relays STDOUT and STDERR from the process to the terminal:
$ klee run FreeBSD:test echo Hello!
8752dee80656
created execution instance 7726cb9f5299
Hello!
executable 7726cb9f5299 and its container exited with exit-code 0
However, it can also run in the background using
the --detach
flag:
$ klee run --detach FreeBSD:test echo Hello!
4a687b420ed
created execution instance acba96f0411c
Here, Kleene started the container, and exits back to the terminal.
In this case, the container stops immediatly after echo
has printed
‘Hello!’ but if it was a long-running process it would continue to
run in the background. This is exemplified in the following.
Running containers in the foreground
When running containers in the foreground, klee run
starts the
process and exits when the process does.
$ klee run FreeBSD:testing
a33acc099268
created execution instance 94455a51098c
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Updating motd:.
Creating and/or trimming log files.
Clearing /tmp (X related).
Updating /var/run/os-release done.
Starting syslogd.
/etc/rc: WARNING: failed to start syslogd
Starting sendmail_submit.
554 5.3.0 host "localhost" unknown: Protocol not supported
/etc/rc: WARNING: failed to start sendmail_submit
Starting sendmail_msp_queue.
Starting cron.
Tue Feb 13 13:04:21 UTC 2024
94455a51098c has exited with exit-code 0
Notice the last line compared to the previous examples:
It only says that the execution instance has exited, and there is no mention of the
container because it is stille running. Check with klee lsc
.
If the process that startede the container exists but it has spawned other
processes that are still running, the container will continue to run in the
background.
Note
When running a containerized process in the foreground and exiting Klee with
ctrl+c
, Kleened responds by terminating the jail(8) process and not any subprocesses. Therefore, the jail might still be running even though the attached session is closed. For instance,klee exec my-container /bin/sh -c "nc -l 4000"
keeps running after Klee exits. Shut it down by killing the proces withkill
from either host/container or, alternatively, stop the container entirely withklee stop my-container
.
Accessing a running container
Since containers usually have a full-blown userland they can be accessed and managed with many of the same tools as the host, albeit in a restricted environment.
There are two different ways of doing this. Either by using klee
or using FreeBSD’s
native tool jexec(8)
.
Using klee
Klee’s commands for starting containers/execution instances, such as klee run
and
klee exec
supports interactive sessions:
-
With the
-i
/--interactive
flag, Kleene redirects terminal STDIN to STDIN of the containerized process. -
With the
-t
/--tty
flag Kleene allocates a pseudo-TTY which is needed in order for certain interactive applications such assh
,bash
etc. to work properly.
For interactive processes (like a shell), use -i -t
together in
order to allocate a tty for the container process. -i -t
is usually written -it
.
The advantage of using the Kleene client is that it wraps the interactive session with relevant information such container/execution instance ID’s an whether the container terminated or just the execution instance. It can also run on a remote machine instead of the Kleene host. It is still experiemental, however, and it communicates through a websocket, which incurs some overhead.
Using jexec
FreeBSD comes with its own tool for executing commands inside a container/jail.
It is straightforward to use and it works seamlessly with Kleene containers.
You can use the JID or the (entire) container ID to specify the container
that the command should run in.
See jexec(8)
for details.
The advantage of using jexec instead of Klee is that it is simple and fast (written in C). The drawback is that jexec only works on the host.
Image identification
When containers are created, they are created from an image which can be specified using this compressed form:
IMAGE_ID|IMAGE_NAME[:tag][@snapshot]
which is explained in detail in the documentation of klee container create
.
It is also possible to create images from build snapshots as described here,
which can be useful during image development.
Overriding image defaults
An image can be equipped with parameters that also affects the runtime environment, i.e., the container. These can be overwritten when creating/running containers.
For instance, with klee run [OPTIONS] IMAGE [COMMAND]...
the Dockerfile instructions
can be overwritten by Klee in the following way:
Dockerfile | Klee | Description |
---|---|---|
CMD |
COMMAND |
If you omit COMMAND the CMD of the image is used. |
ENV |
-e /--env option |
Specifying environment variables with Klee overwrites existing ones, if they exist. |
USER |
-u /--user option |
If no explicit user is set in the image, it is root by default. |
In order to see what default values comes with the image, use klee image inspect
.