Docker rootless: Difference between revisions
mNo edit summary |
m (Remco moved page It is possible to run docker containers on your computer or use them for teaching. to It is possible to run docker containers on your computer or use them for teaching: Die punt is onhandig) |
(No difference)
| |
Revision as of 11:51, 25 June 2021
We have made it possible to run docker containers rootless now. Ie. as a normal user, without root access (for in depth info see: https://docs.docker.com/engine/security/rootless).
You need to prepare your system:
$ dockerd-rootless-setuptool.sh
By default this will store docker images in ~/.local/share/docker. Unfortunately this does not work correctly with a network mounted homedisk. To solve this you need to find a suitable location on your local disk to store files. Usually /mnt/D is a good location. You set this by editing the data-root in ~/.config/docker/daemon.json. Example:
$ d=/mnt/D/docker; f=~/.config/docker/daemon.json
$ mkdir -p $d
$ echo "$((cat $f || echo {}) | jq '."data-root" = "'$d'"')" > $f
$ systemctl --user restart docker
You can also edit this file with a text editor.
An alternative approach is to store a small ext4 formatted diskimage in your homedir:
$ truncate -s 25G ~/.docker.img $ nfs4_setfacl -a 'A::nobody@rug.nl:X' ~ $ nfs4_setfacl -a 'A::nobody@rug.nl:RWX' ~/.docker.img $ mkfs.ext4 -E root_owner -m0 -L docker ~/.docker.img
Now you need to make sure this disk image is mounted when you login:
$ cat ~/.pam_mount.conf <<EOF <?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <pam_mount> <volume fstype="ext4" mountpoint="~/.local/share/docker" options="async,nosuid,loop,exec,noatime,nodev" path="~/.docker.img" /> </pam_mount> EOF
Then logout and login again (or do ssh 127.0.0.1 exit)
testing docker
$ docker run hello-world $ docker run -it ubuntu bash $ docker run -d -p 8881:8080 inanimate/echo-server
Then check in your browser localhost:8881
Standard docker installation
It is still possible to request a standard docker installation (ie. the docker daemon runs as root).
Personal use:
- just send a message to mailto:lwp@rug.nl stating your intentions - by default you will be able to run any container but will not be able to mount a local path into the container. - these limitations can be lifted on a case by case basis (ie. we have to know about it)