Docker rootless: Difference between revisions
m (Remco moved page It is possible to run docker containers on your computer or use them for teaching. to It is possible to run docker containers on your computer or use them for teaching: Die punt is onhandig) |
mNo edit summary |
||
| (12 intermediate revisions by 3 users not shown) | |||
| Line 3: | Line 3: | ||
We have made it possible to run docker containers rootless now. Ie. as a normal user, without root access (for in depth info see: https://docs.docker.com/engine/security/rootless). | We have made it possible to run docker containers rootless now. Ie. as a normal user, without root access (for in depth info see: https://docs.docker.com/engine/security/rootless). | ||
You need to prepare your system: | You need to prepare your system. Follow the instructions given by: | ||
$ dockerd-rootless-setuptool.sh | $ dockerd-rootless-setuptool.sh | ||
By default this will store docker images in <kbd>~/.local/share/docker</kbd>. Unfortunately this does not work correctly with a network mounted homedisk. | |||
You set this by editing the <kbd>data-root</kbd> in <kbd>~/.config/docker/daemon.json</kbd>. Example: | By default this will store docker images in <kbd>~/.local/share/docker</kbd>. Unfortunately this does not work correctly with a network mounted homedisk. There are 2 ways of resolving this, use only one of them, because they conflict with each other.<br> | ||
$ d | |||
'''Solution 1'''<br> | |||
To solve this you need to find a suitable location on your local disk to store files. Usually <kbd>/mnt/D/<subdir></kbd> or <kbd>/var/tmp/<subdir></kbd> are good choices. | |||
You set this by editing the <kbd>data-root</kbd> in <kbd>~/.config/docker/daemon.json</kbd>. That file and directory may not (yet) exist. Example: | |||
$ [ -d ~/.config/docker ] || mkdir -p ~/.config/docker | |||
$ edit ~/.config/docker/daemon.json to contain: | |||
{ | |||
"data-root": "/mnt/D/<subdir>" | |||
} | |||
$ systemctl --user restart docker | $ systemctl --user restart docker | ||
An alternative approach is to store a small ext4 formatted diskimage in your homedir: | |||
'''Solution 2'''<br> | |||
An alternative approach (make sure to remove <kbd>~/.config/docker/daemon.json</kbd> when you do this!) is to store a small ext4 formatted diskimage in your homedir and make it mountable: | |||
$ truncate -s 25G ~/.docker.img | $ truncate -s 25G ~/.docker.img | ||
$ nfs4_setfacl -a 'A::nobody@rug.nl:X' ~ | $ nfs4_setfacl -a 'A::nobody@rug.nl:X' ~ | ||
$ nfs4_setfacl -a 'A::nobody@rug.nl:RWX' ~/.docker.img | $ nfs4_setfacl -a 'A::nobody@rug.nl:RWX' ~/.docker.img | ||
$ mkfs.ext4 -E root_owner -m0 -L docker ~/.docker.img | $ mkfs.ext4 -E root_owner -m0 -L docker ~/.docker.img | ||
Now you need to make sure this disk image is mounted when you login | $ chmod 755 ~/.local/share | ||
$ nfs4_setfacl -a 'A::nobody@rug.nl:X' ~/.local ~/local/share | |||
Now you need to make sure this disk image is mounted when you login. For that you need to edit <kbd>~/.pam_mount.conf.xml</kbd> to contain: | |||
<?xml version="1.0" encoding="utf-8" ?> | <?xml version="1.0" encoding="utf-8" ?> | ||
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> | <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> | ||
| Line 26: | Line 37: | ||
<volume fstype="ext4" mountpoint="~/.local/share/docker" options="async,nosuid,loop,exec,noatime,nodev" path="~/.docker.img" /> | <volume fstype="ext4" mountpoint="~/.local/share/docker" options="async,nosuid,loop,exec,noatime,nodev" path="~/.docker.img" /> | ||
</pam_mount> | </pam_mount> | ||
Then logout and login again (or do <kbd>ssh 127.0.0.1 exit</kbd>) | Then logout and login again (or do <kbd>ssh 127.0.0.1 exit</kbd>) | ||
| Line 38: | Line 49: | ||
== Standard docker installation == | == Standard docker installation == | ||
It is still possible to request a standard docker installation (ie. the docker daemon runs as root). | It is still possible to request a standard docker installation (ie. the docker daemon runs as root) for your personal LWP (ie. not for any shared system such as systems in the computer labs or https://vlwp.rug.nl). | ||
=== Personal use: === | === Personal use: === | ||
Latest revision as of 16:18, 1 March 2023
We have made it possible to run docker containers rootless now. Ie. as a normal user, without root access (for in depth info see: https://docs.docker.com/engine/security/rootless).
You need to prepare your system. Follow the instructions given by:
$ dockerd-rootless-setuptool.sh
By default this will store docker images in ~/.local/share/docker. Unfortunately this does not work correctly with a network mounted homedisk. There are 2 ways of resolving this, use only one of them, because they conflict with each other.
Solution 1
To solve this you need to find a suitable location on your local disk to store files. Usually /mnt/D/<subdir> or /var/tmp/<subdir> are good choices. You set this by editing the data-root in ~/.config/docker/daemon.json. That file and directory may not (yet) exist. Example:
$ [ -d ~/.config/docker ] || mkdir -p ~/.config/docker
$ edit ~/.config/docker/daemon.json to contain:
{
"data-root": "/mnt/D/<subdir>"
}
$ systemctl --user restart docker
Solution 2
An alternative approach (make sure to remove ~/.config/docker/daemon.json when you do this!) is to store a small ext4 formatted diskimage in your homedir and make it mountable:
$ truncate -s 25G ~/.docker.img $ nfs4_setfacl -a 'A::nobody@rug.nl:X' ~ $ nfs4_setfacl -a 'A::nobody@rug.nl:RWX' ~/.docker.img $ mkfs.ext4 -E root_owner -m0 -L docker ~/.docker.img $ chmod 755 ~/.local/share $ nfs4_setfacl -a 'A::nobody@rug.nl:X' ~/.local ~/local/share
Now you need to make sure this disk image is mounted when you login. For that you need to edit ~/.pam_mount.conf.xml to contain:
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <pam_mount> <volume fstype="ext4" mountpoint="~/.local/share/docker" options="async,nosuid,loop,exec,noatime,nodev" path="~/.docker.img" /> </pam_mount>
Then logout and login again (or do ssh 127.0.0.1 exit)
testing docker
$ docker run hello-world $ docker run -it ubuntu bash $ docker run -d -p 8881:8080 inanimate/echo-server
Then check in your browser localhost:8881
Standard docker installation
It is still possible to request a standard docker installation (ie. the docker daemon runs as root) for your personal LWP (ie. not for any shared system such as systems in the computer labs or https://vlwp.rug.nl).
Personal use:
- just send a message to mailto:lwp@rug.nl stating your intentions - by default you will be able to run any container but will not be able to mount a local path into the container. - these limitations can be lifted on a case by case basis (ie. we have to know about it)