Docker rootless: Difference between revisions
mNo edit summary |
mNo edit summary |
||
| (5 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
We have made it possible to run docker containers rootless now. Ie. as a normal user, without root access (for in depth info see: https://docs.docker.com/engine/security/rootless). | We have made it possible to run docker containers rootless now. Ie. as a normal user, without root access (for in depth info see: https://docs.docker.com/engine/security/rootless). | ||
You need to prepare your system: | You need to prepare your system. Follow the instructions given by: | ||
$ dockerd-rootless-setuptool.sh | $ dockerd-rootless-setuptool.sh | ||
By default this will store docker images in <kbd>~/.local/share/docker</kbd>. Unfortunately this does not work correctly with a network mounted homedisk. There are 2 ways of resolving this, | By default this will store docker images in <kbd>~/.local/share/docker</kbd>. Unfortunately this does not work correctly with a network mounted homedisk. There are 2 ways of resolving this, use only one of them, because they conflict with each other.<br> | ||
'''Solution 1'''<br> | '''Solution 1'''<br> | ||
To solve this you need to find a suitable location on your local disk to store files. Usually <kbd>/mnt/D</kbd> | To solve this you need to find a suitable location on your local disk to store files. Usually <kbd>/mnt/D/<subdir></kbd> or <kbd>/var/tmp/<subdir></kbd> are good choices. | ||
You set this by editing the <kbd>data-root</kbd> in <kbd>~/.config/docker/daemon.json</kbd>. Example: | You set this by editing the <kbd>data-root</kbd> in <kbd>~/.config/docker/daemon.json</kbd>. That file and directory may not (yet) exist. Example: | ||
$ [ -d ~/.config/docker ] || mkdir -p ~/.config/docker | |||
$ edit ~/.config/docker/daemon.json to contain: | $ edit ~/.config/docker/daemon.json to contain: | ||
{ | { | ||
"data-root": "/mnt/D" | "data-root": "/mnt/D/<subdir>" | ||
} | } | ||
$ systemctl --user restart docker | $ systemctl --user restart docker | ||
| Line 22: | Line 23: | ||
'''Solution 2'''<br> | '''Solution 2'''<br> | ||
An alternative approach is to store a small ext4 formatted diskimage in your homedir: | An alternative approach (make sure to remove <kbd>~/.config/docker/daemon.json</kbd> when you do this!) is to store a small ext4 formatted diskimage in your homedir and make it mountable: | ||
$ truncate -s 25G ~/.docker.img | $ truncate -s 25G ~/.docker.img | ||
$ nfs4_setfacl -a 'A::nobody@rug.nl:X' ~ | $ nfs4_setfacl -a 'A::nobody@rug.nl:X' ~ | ||
| Line 28: | Line 29: | ||
$ mkfs.ext4 -E root_owner -m0 -L docker ~/.docker.img | $ mkfs.ext4 -E root_owner -m0 -L docker ~/.docker.img | ||
$ chmod 755 ~/.local/share | $ chmod 755 ~/.local/share | ||
Now you need to make sure this disk image is mounted when you login | $ nfs4_setfacl -a 'A::nobody@rug.nl:X' ~/.local ~/local/share | ||
Now you need to make sure this disk image is mounted when you login. For that you need to edit <kbd>~/.pam_mount.conf.xml</kbd> to contain: | |||
<?xml version="1.0" encoding="utf-8" ?> | <?xml version="1.0" encoding="utf-8" ?> | ||
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> | <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> | ||
| Line 35: | Line 37: | ||
<volume fstype="ext4" mountpoint="~/.local/share/docker" options="async,nosuid,loop,exec,noatime,nodev" path="~/.docker.img" /> | <volume fstype="ext4" mountpoint="~/.local/share/docker" options="async,nosuid,loop,exec,noatime,nodev" path="~/.docker.img" /> | ||
</pam_mount> | </pam_mount> | ||
Then logout and login again (or do <kbd>ssh 127.0.0.1 exit</kbd>) | Then logout and login again (or do <kbd>ssh 127.0.0.1 exit</kbd>) | ||
Latest revision as of 16:18, 1 March 2023
We have made it possible to run docker containers rootless now. Ie. as a normal user, without root access (for in depth info see: https://docs.docker.com/engine/security/rootless).
You need to prepare your system. Follow the instructions given by:
$ dockerd-rootless-setuptool.sh
By default this will store docker images in ~/.local/share/docker. Unfortunately this does not work correctly with a network mounted homedisk. There are 2 ways of resolving this, use only one of them, because they conflict with each other.
Solution 1
To solve this you need to find a suitable location on your local disk to store files. Usually /mnt/D/<subdir> or /var/tmp/<subdir> are good choices. You set this by editing the data-root in ~/.config/docker/daemon.json. That file and directory may not (yet) exist. Example:
$ [ -d ~/.config/docker ] || mkdir -p ~/.config/docker
$ edit ~/.config/docker/daemon.json to contain:
{
"data-root": "/mnt/D/<subdir>"
}
$ systemctl --user restart docker
Solution 2
An alternative approach (make sure to remove ~/.config/docker/daemon.json when you do this!) is to store a small ext4 formatted diskimage in your homedir and make it mountable:
$ truncate -s 25G ~/.docker.img $ nfs4_setfacl -a 'A::nobody@rug.nl:X' ~ $ nfs4_setfacl -a 'A::nobody@rug.nl:RWX' ~/.docker.img $ mkfs.ext4 -E root_owner -m0 -L docker ~/.docker.img $ chmod 755 ~/.local/share $ nfs4_setfacl -a 'A::nobody@rug.nl:X' ~/.local ~/local/share
Now you need to make sure this disk image is mounted when you login. For that you need to edit ~/.pam_mount.conf.xml to contain:
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <pam_mount> <volume fstype="ext4" mountpoint="~/.local/share/docker" options="async,nosuid,loop,exec,noatime,nodev" path="~/.docker.img" /> </pam_mount>
Then logout and login again (or do ssh 127.0.0.1 exit)
testing docker
$ docker run hello-world $ docker run -it ubuntu bash $ docker run -d -p 8881:8080 inanimate/echo-server
Then check in your browser localhost:8881
Standard docker installation
It is still possible to request a standard docker installation (ie. the docker daemon runs as root) for your personal LWP (ie. not for any shared system such as systems in the computer labs or https://vlwp.rug.nl).
Personal use:
- just send a message to mailto:lwp@rug.nl stating your intentions - by default you will be able to run any container but will not be able to mount a local path into the container. - these limitations can be lifted on a case by case basis (ie. we have to know about it)