Containers

Configure containers to run on appliance-based nodes

Trustgrid nodes support running Docker containers which allows for ease of deployment across an organization. Any Docker container is supported with the exception of containers that require root level access.

The container can be attached to both the local and virtual network space which allows both local and remote resources to communicate with the container. For example an API could be deployed on a Trustgrid Gateway which sends API Calls via the virtual network space to a container running on a Trustgrid Edge Node. The API call could then be translated to make a call to a database running on the local network and passed back up to the gateway host.

Before adding a container to a node, push an image to your repository.

Reading and managing containers requires node-exec::read and node-exec::modify permissions, respectively. Executing a container requires node-exec::compute permission.

Management

Navigate to Container Management under Compute on a node or cluster.

Containers List View

Here you can add, enable, disable, delete, and import a container.

Add Container Modal

Field NameDescription
NameThe name of the container.
Execution Type

A container can be deployed as one of three types.

  1. Service - the container is created and will run as a daemon. If the node reboots, the container will start up automatically.

  2. Recurring - the container will run on a defined schedule. A schedule parameter is defined for the frequency, either as a rate or a cron expression.

    RateDescription
    rate(30 minutes)Run every 30 minutes
    rate(1 hour)Run every hour
    rate(1 day)Run every day
  3. On Demand - typically used for testing. The container is executed for a single session, but will not restart on its own.

StatusOnly enabled containers will run.
Image NameThe name of the image to execute.
Image TagThe image tag to execute.

Overview

Navigating into a container, the overview section allows editing basic information about the container’s execution environment.

Container overview section
Container Overview

In addition to the fields above, you can modify the below optional fields after saving the new container configuration.

Field NameDescription
Save Output

Persist standard output/standard error to the Trustgrid cloud for analysis.

It is the customer’s responsibility to ensure no privileged information is included in the output. If in doubt, do not utilize this feature.

CommandThe command to execute inside the container. This overrides the start command configured by the dockerfile used to build the image and can be useful for troubleshooting.
Hostname

The hostname set inside the container.

Defaults to the the node name.

Stop TimeThe grace period (in seconds) to allow a container to stop before killing it. Defaults to 30 seconds.
UserSets the username or group or uid or gid in the container.
DNS

Configures the container to utilize the specified DNS server for resolution.

By default the container uses a local resolver managed by the node software that can resolve other containers by name and will forward to the node’s configured DNS servers for external resolution.

IP

Configures the container to use the specified IP address. The IP address needs to be in the 172.18.0.0/16 network and cannot be 172.18.1.2.

By default this is assigned dynamically in that network.

PrivilegedGrant the container extended privileges. Best practice would be to utilize linux capabilities to grant the least privileges needed to run the container.
Use InitUse an init process inside the container as PID 1. This ensures responsibilities of an init system are performed inside the container (e.g., handling exit signals).
Require ConnectivityEnsures that the container will not start if it has encrypted volumes and is unable to reach the control plane.

Environment Variables

Environment variables can be added to a container to provide configuration information to the container at runtime.

Environment Variables

Network

The networking section allows you to configure the container’s VRF, its port mappings, and its virtual networks and interfaces.

Container Network

Host Port Mappings

Host port mappings allow you to expose a port on the host to the container. This is useful for exposing a service running in the container to the local network.

Field NameDescription
ProtocolThe protocol to listen for. If not specified, all traffic is forwarded to the container.
Host InterfaceThe host interface to listen on.
Host PortThe host port to listen on.
Container PortThe container port that will receive the mapped traffic.

Virtual Networks

Attaching a virtual network to a container allows virtual network traffic to reach it.

Field NameDescription
Virtual NetworkThe virtual network to attach.
Virtual IPThe virtual IP to assign to the container.
Allow OutboundWhether the container should be allowed to make outbound connections into the virtual network.

Virtual Interfaces

A virtual interface can be mapped to a container to forward all traffic.

Field NameDescription
NameThe virtual interface name.
DestinationThe interface destination inside the container.

Mounts

Mounts allow a container to persist data either as an externally defined volume, or a bind mount of the node’s filesystem.

Container Mounts

Field NameDescription
TypeEither BIND or VOLUME. For type VOLUME, the mount must reference an existing volume.
SourceFor volumes, the name of the volume. For bind mounts, the path on the node’s filesystem.
DestinationThe mount location inside the container.

Resource Limits

Containers can be restricted to limit the amount of resources they can consume from the host.

Container Resource Limits

Field NameDescription
CPU Max %Maximum CPU allocation. Default is 50%.
Memory Max (MB)Hard limit for RAM allocation. Default is 50% of the host’s memory.
Memory High (MB)Soft limit for RAM allocation. Cannot exceed hard limit. Default is 45% of the host’s memory.
IO Max Read (B/s)Max allowed bytes per second of IO reads. Disabled by default.
IO Max Write (B/s)Max allowed bytes per second of IO writes. Disabled by default.
IO Max Read Operations (ops/s)Max allowed IO read operations per second. Disabled by default.
IO Max Write Operations (ops/s)Max allowed IO write operations per second. Disabled by default.

Linux ulimits can be set for each container. Supported ulimits are:

  • CORE
  • DATA
  • FSIZE
  • LOCKS
  • MEMLOCK
  • MSGQUE
  • NICE
  • NOFILE
  • NPROC
  • RSS
  • RTPRIO
  • RTTIME
  • SIGPENDING
  • STACK

Health Check

A health check can be configured to monitor the container’s health. If the health check fails, the container will be restarted.

Container Health Check

Field NameDescription
CommandThe command to run. A non-zero return code indicates a health check failure.
IntervalThe frequency (in seconds) to run the health check.
TimeoutHow long (in seconds) to wait for the health check to complete. A timeout is considered a failure.
Start PeriodGrace period (in seconds) during container startup before health checks should start.
RetriesNumber of allowed health check failures before marking the container unhealthy.

Linux Capabilities

Linux capabilities can be added to or removed from a container, allowing fine-grained control over kernel-level features and device access.

Container Linux Capabilities

Logging Configuration

Log files (when persisting container output) are rotated based on a size threshold.

Container Logging Configuration

Field NameDescription
Max File Size (MB)The maximum size (in MB) of a log file before it is rotated.
Max FilesThe maximum number of log files to keep.

Images

Manage container images stored on nodes

Volumes

Configure volumes on nodes for use by containers for persistent storage