jspc revised this gist . Go to revision
1 file changed, 57 insertions
threes-container.md(file created)
| @@ -0,0 +1,57 @@ | |||
| 1 | + | # Booting a container directly on Threes | |
| 2 | + | ||
| 3 | + | `threes` can boot a container that runs on a VM of its own. This is designed to balance the ease of building and shipping containers with the security benefits of an isolated VM. | |
| 4 | + | ||
| 5 | + | ## Pre-requisites | |
| 6 | + | ||
| 7 | + | 1. A `container` base image, built via [this repository](https://code.fatlads.lol/threes/packer) | |
| 8 | + | 2. A container you actually want to run | |
| 9 | + | ||
| 10 | + | ## Setup | |
| 11 | + | ||
| 12 | + | ```bash | |
| 13 | + | $ threes network create myapp | |
| 14 | + | ``` | |
| 15 | + | ||
| 16 | + | (Or whatever- I'll use this name in this doc | |
| 17 | + | ||
| 18 | + | ## Creating | |
| 19 | + | ||
| 20 | + | ```bash | |
| 21 | + | $ threes vm create -i container -t teeny -n myapp -k "$(cat ~/.ssh/id_ed25519.pub)" myapp | |
| 22 | + | 2025/07/05 17:15:24 myapp | |
| 23 | + | 2025/07/05 17:15:24 ID: d1klra72hcamemlkvns0 | |
| 24 | + | 2025/07/05 17:15:24 Management Address: 10.10.133.145 | |
| 25 | + | $ threes vm kv upsert -p image=my-image -p version=latest -p port=8080 d1klra72hcamemlkvns0 | |
| 26 | + | ``` | |
| 27 | + | ||
| 28 | + | ### the `threes vm kv upsert` command | |
| 29 | + | ||
| 30 | + | A `threes` vm can have an arbitrary set of key/value pairs attached to it, which can be read from within the virtual machine. | |
| 31 | + | ||
| 32 | + | Key/Value pairs can either be public or secret. The difference is that only the VM can access secret values; everyone else sees (for instance): | |
| 33 | + | ||
| 34 | + | ```bash | |
| 35 | + | hrees vm kv get d1klra72hcamemlkvns0 | |
| 36 | + | 2025/07/05 17:46:06 version = "latest" | |
| 37 | + | 2025/07/05 17:46:06 PASSWORD = "** REDACTED SECRET VALUE **" | |
| 38 | + | 2025/07/05 17:46:06 image = "thomaspoignant/hello-world-rest-json" | |
| 39 | + | 2025/07/05 17:46:06 port = "8080" | |
| 40 | + | ``` | |
| 41 | + | ||
| 42 | + | The container base image uses these Key/Value pairs to derive a container to run; it expects a key called `image`- without this, it will fail. The keys `version` and `port` have sensible defaults of `latest` and `8080` respectively. | |
| 43 | + | ||
| 44 | + | Any key in all caps will be treated as an environment variable. | |
| 45 | + | ||
| 46 | + | ||
| 47 | + | ## Next Steps | |
| 48 | + | ||
| 49 | + | From here, it's easy enough to access your container app via http://myapp:8080 on the tailnet, or to slap a reverse proxy in front of it. | |
| 50 | + | ||
| 51 | + | As always with `threes`, the name on the tailnet is derived from the name of the vm. The command: | |
| 52 | + | ||
| 53 | + | ``` | |
| 54 | + | $ threes vm create -i container -t teeny -n myapp -k "$(cat ~/.ssh/id_ed25519.pub)" blahhhhhh | |
| 55 | + | ``` | |
| 56 | + | ||
| 57 | + | Would result in the container being available at http://blahhhhhh:8080. | |
Newer
Older