Docker rootless: Difference between revisions

From LWP-Wiki
Jump to navigation Jump to search
No edit summary
mNo edit summary
 
(14 intermediate revisions by 3 users not shown)
Line 1: Line 1:
[[Category:Docker-faq]]
[[Category:Docker-faq]]


We have now made it possible to run docker containers rootless ie. as a normal user, without root access (for in depth info see: https://docs.docker.com/engine/security/rootless).
We have made it possible to run docker containers rootless now. Ie. as a normal user, without root access (for in depth info see: https://docs.docker.com/engine/security/rootless).


You need to prepare your system:
You need to prepare your system. Follow the instructions given by:
   $ dockerd-rootless-setuptool.sh
   $ dockerd-rootless-setuptool.sh
By default this will store docker images in <kbd>~/.local/share/docker</kbd>. Unfortunately this does not work correctly with a network mounted homedisk. To solve this you need to find a suitable location on your disk to store files. Usually <kbd>/mnt/D</kbd> is a good location.
 
You set this by editing the <kbd>data-root</kbd> in <kbd>~/.config/docker/daemon.json</kbd>. Example:
By default this will store docker images in <kbd>~/.local/share/docker</kbd>. Unfortunately this does not work correctly with a network mounted homedisk. There are 2 ways of resolving this, use only one of them, because they conflict with each other.<br>
   $ mkdir /mnt/D/docker
 
   $ f=~/.config/docker/daemon.json
'''Solution 1'''<br>
   $ echo "$((cat $f || echo {}) | jq '."data-root" = "/mnt/D/docker"')" > $f
 
To solve this you need to find a suitable location on your local disk to store files. Usually <kbd>/mnt/D/<subdir></kbd> or <kbd>/var/tmp/<subdir></kbd> are good choices.
You set this by editing the <kbd>data-root</kbd> in <kbd>~/.config/docker/daemon.json</kbd>. That file and directory may not (yet) exist. Example:
   $ [ -d ~/.config/docker ] || mkdir -p ~/.config/docker
   $ edit ~/.config/docker/daemon.json to contain:
   {
    "data-root": "/mnt/D/<subdir>"
  }
   $ systemctl --user restart docker
   $ systemctl --user restart docker


You can also edit the file with a text editor.


An alternative approach is to store a small ext4 formatted diskimage in your homedir:
 
'''Solution 2'''<br>
 
An alternative approach (make sure to remove <kbd>~/.config/docker/daemon.json</kbd> when you do this!) is to store a small ext4 formatted diskimage in your homedir and make it mountable:
   $ truncate -s 25G ~/.docker.img
   $ truncate -s 25G ~/.docker.img
   $ nfs4_setfacl -a 'A::nobody@rug.nl:X' ~
   $ nfs4_setfacl -a 'A::nobody@rug.nl:X' ~
   $ nfs4_setfacl -a 'A::nobody@rug.nl:RWX' ~/.docker.img  
   $ nfs4_setfacl -a 'A::nobody@rug.nl:RWX' ~/.docker.img  
   $ mkfs.ext4 -E root_owner -m0 -L docker ~/.docker.img
   $ mkfs.ext4 -E root_owner -m0 -L docker ~/.docker.img
Now you need to make sure this disk image is mounted when you login:
  $ chmod 755 ~/.local/share
  $ cat ~/.pam_mount.conf <<EOF
  $ nfs4_setfacl -a 'A::nobody@rug.nl:X' ~/.local ~/local/share
Now you need to make sure this disk image is mounted when you login. For that you need to edit <kbd>~/.pam_mount.conf.xml</kbd> to contain:
 
   <?xml version="1.0" encoding="utf-8" ?>
   <?xml version="1.0" encoding="utf-8" ?>
   <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
   <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
Line 26: Line 37:
     <volume fstype="ext4" mountpoint="~/.local/share/docker" options="async,nosuid,loop,exec,noatime,nodev" path="~/.docker.img" />
     <volume fstype="ext4" mountpoint="~/.local/share/docker" options="async,nosuid,loop,exec,noatime,nodev" path="~/.docker.img" />
   </pam_mount>
   </pam_mount>
  EOF
 
The logout and login again.  
Then logout and login again (or do <kbd>ssh 127.0.0.1 exit</kbd>)


=== testing docker ===
=== testing docker ===
Line 38: Line 49:
== Standard docker installation ==
== Standard docker installation ==


It is still possible to request a standard docker installation (ie. the docker daemon runs as root).
It is still possible to request a standard docker installation (ie. the docker daemon runs as root) for your personal LWP (ie. not for any shared system such as systems in the computer labs or https://vlwp.rug.nl).


=== Personal use: ===
=== Personal use: ===

Latest revision as of 16:18, 1 March 2023


We have made it possible to run docker containers rootless now. Ie. as a normal user, without root access (for in depth info see: https://docs.docker.com/engine/security/rootless).

You need to prepare your system. Follow the instructions given by:

 $ dockerd-rootless-setuptool.sh

By default this will store docker images in ~/.local/share/docker. Unfortunately this does not work correctly with a network mounted homedisk. There are 2 ways of resolving this, use only one of them, because they conflict with each other.

Solution 1

To solve this you need to find a suitable location on your local disk to store files. Usually /mnt/D/<subdir> or /var/tmp/<subdir> are good choices. You set this by editing the data-root in ~/.config/docker/daemon.json. That file and directory may not (yet) exist. Example:

 $ [ -d ~/.config/docker ] || mkdir -p ~/.config/docker
 $ edit ~/.config/docker/daemon.json to contain:
 {
   "data-root": "/mnt/D/<subdir>"
 }
 $ systemctl --user restart docker


Solution 2

An alternative approach (make sure to remove ~/.config/docker/daemon.json when you do this!) is to store a small ext4 formatted diskimage in your homedir and make it mountable:

 $ truncate -s 25G ~/.docker.img
 $ nfs4_setfacl -a 'A::nobody@rug.nl:X' ~
 $ nfs4_setfacl -a 'A::nobody@rug.nl:RWX' ~/.docker.img 
 $ mkfs.ext4 -E root_owner -m0 -L docker ~/.docker.img
 $ chmod 755 ~/.local/share
 $ nfs4_setfacl -a 'A::nobody@rug.nl:X' ~/.local ~/local/share

Now you need to make sure this disk image is mounted when you login. For that you need to edit ~/.pam_mount.conf.xml to contain:

 <?xml version="1.0" encoding="utf-8" ?>
 <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
 <pam_mount>
   <volume fstype="ext4" mountpoint="~/.local/share/docker" options="async,nosuid,loop,exec,noatime,nodev" path="~/.docker.img" />
 </pam_mount>

Then logout and login again (or do ssh 127.0.0.1 exit)

testing docker

$ docker run hello-world
$ docker run -it ubuntu bash
$ docker run -d -p 8881:8080 inanimate/echo-server

Then check in your browser localhost:8881

Standard docker installation

It is still possible to request a standard docker installation (ie. the docker daemon runs as root) for your personal LWP (ie. not for any shared system such as systems in the computer labs or https://vlwp.rug.nl).

Personal use:

- just send a message to mailto:lwp@rug.nl stating your intentions
- by default you will be able to run any container but will not be able to mount a local path into the container.
- these limitations can be lifted on a case by case basis (ie. we have to know about it)