Docker rootless: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
[[Category:Docker-faq]] | [[Category:Docker-faq]] | ||
We have now made it possible to run docker containers rootless ie. as a normal user, without root access (for in depth info see: https://docs.docker.com/engine/security/rootless). | |||
You need to prepare your system: | |||
$ dockerd-rootless-setuptool.sh | |||
By default this will store docker images in <kbd>~/.local/share/docker</kbd>. Unfortunately this does not work correctly with a network mounted homedisk. To solve this you need to find a suitable location on your disk to store files. Usually <kbd>/mnt/D</kbd> is a good location. | |||
You set this by editing the <kbd>data-root</kbd> in <kbd>~/.config/docker/daemon.json</kbd>. Example: | |||
$ mkdir /mnt/D/docker | |||
$ f=~/.config/docker/daemon.json | |||
$ echo "$((cat $f || echo {}) | jq '."data-root" = "/mnt/D/docker"')" > $f | |||
$ systemctl --user restart docker | |||
You can also edit the file with a text editor. | |||
An alternative approach is to store a small ext4 formatted diskimage in your homedir: | |||
$ truncate -s 25G ~/.docker.img | |||
$ nfs4_setfacl -a 'A::nobody@rug.nl:X' ~ | |||
$ nfs4_setfacl -a 'A::nobody@rug.nl:RWX' ~/.docker.img | |||
$ mkfs.ext4 -E root_owner -m0 -L docker ~/.docker.img | |||
Now you need to make sure this disk image is mounted when you login: | |||
$ cat ~/.pam_mount.conf <<EOF | |||
<?xml version="1.0" encoding="utf-8" ?> | |||
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> | |||
<pam_mount> | |||
<volume fstype="ext4" mountpoint="~/.local/share/docker" options="async,nosuid,loop,exec,noatime,nodev" path="~/.docker.img" /> | |||
</pam_mount> | |||
EOF | |||
The logout and login again. | |||
=== testing docker === | |||
$ docker run hello-world | |||
$ docker run -it ubuntu bash | |||
$ docker run -d -p 8881:8080 inanimate/echo-server | |||
Then check in your browser <kbd>localhost:8881</kbd> | |||
== Standard docker installation == | |||
It is still possible to request a standard docker installation (ie. the docker daemon runs as root). | |||
=== Personal use: === | === Personal use: === | ||
- just send a message to mailto:lwp@rug.nl stating your intentions | - just send a message to mailto:lwp@rug.nl stating your intentions | ||
- by default you will be able to run any container but will not be able to mount a local path into the container. | - by default you will be able to run any container but will not be able to mount a local path into the container. | ||
- these limitations can be lifted on a case by case basis (ie. we have to know about it) | - these limitations can be lifted on a case by case basis (ie. we have to know about it) | ||
Revision as of 13:28, 10 June 2021
We have now made it possible to run docker containers rootless ie. as a normal user, without root access (for in depth info see: https://docs.docker.com/engine/security/rootless).
You need to prepare your system:
$ dockerd-rootless-setuptool.sh
By default this will store docker images in ~/.local/share/docker. Unfortunately this does not work correctly with a network mounted homedisk. To solve this you need to find a suitable location on your disk to store files. Usually /mnt/D is a good location. You set this by editing the data-root in ~/.config/docker/daemon.json. Example:
$ mkdir /mnt/D/docker
$ f=~/.config/docker/daemon.json
$ echo "$((cat $f || echo {}) | jq '."data-root" = "/mnt/D/docker"')" > $f
$ systemctl --user restart docker
You can also edit the file with a text editor.
An alternative approach is to store a small ext4 formatted diskimage in your homedir:
$ truncate -s 25G ~/.docker.img $ nfs4_setfacl -a 'A::nobody@rug.nl:X' ~ $ nfs4_setfacl -a 'A::nobody@rug.nl:RWX' ~/.docker.img $ mkfs.ext4 -E root_owner -m0 -L docker ~/.docker.img
Now you need to make sure this disk image is mounted when you login:
$ cat ~/.pam_mount.conf <<EOF <?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <pam_mount> <volume fstype="ext4" mountpoint="~/.local/share/docker" options="async,nosuid,loop,exec,noatime,nodev" path="~/.docker.img" /> </pam_mount> EOF
The logout and login again.
testing docker
$ docker run hello-world $ docker run -it ubuntu bash $ docker run -d -p 8881:8080 inanimate/echo-server
Then check in your browser localhost:8881
Standard docker installation
It is still possible to request a standard docker installation (ie. the docker daemon runs as root).
Personal use:
- just send a message to mailto:lwp@rug.nl stating your intentions - by default you will be able to run any container but will not be able to mount a local path into the container. - these limitations can be lifted on a case by case basis (ie. we have to know about it)