Docker rootless: Difference between revisions

From LWP-Wiki
Jump to navigation Jump to search
mNo edit summary
mNo edit summary
Line 28: Line 28:
   $ mkfs.ext4 -E root_owner -m0 -L docker ~/.docker.img
   $ mkfs.ext4 -E root_owner -m0 -L docker ~/.docker.img
   $ chmod 755 ~/.local/share
   $ chmod 755 ~/.local/share
Now you need to make sure this disk image is mounted when you login. For that you need to edit  
Now you need to make sure this disk image is mounted when you login. For that you need to edit <kbd>~/.pam_mount.conf.xml</kbd> to contain:
  $ edit ~/.pam_mount.conf.xml to contain:
 
   <?xml version="1.0" encoding="utf-8" ?>
   <?xml version="1.0" encoding="utf-8" ?>
   <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
   <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">

Revision as of 10:25, 30 September 2022


We have made it possible to run docker containers rootless now. Ie. as a normal user, without root access (for in depth info see: https://docs.docker.com/engine/security/rootless).

You need to prepare your system:

 $ dockerd-rootless-setuptool.sh

By default this will store docker images in ~/.local/share/docker. Unfortunately this does not work correctly with a network mounted homedisk. There are 2 ways of resolving this, but only use one of them, because they conflict with each other.

Solution 1

To solve this you need to find a suitable location on your local disk to store files. Usually /mnt/D/<subdir> or /var/tmp/<subdir> are goot choices. You set this by editing the data-root in ~/.config/docker/daemon.json. Example:

 $ edit ~/.config/docker/daemon.json to contain:
 {
   "data-root": "/mnt/D/<subdir>"
 }
 $ systemctl --user restart docker


Solution 2

An alternative approach (make sure to remove ~/.config/docker/daemon.json when you do this!) is to store a small ext4 formatted diskimage in your homedir and make it mountable:

 $ truncate -s 25G ~/.docker.img
 $ nfs4_setfacl -a 'A::nobody@rug.nl:X' ~
 $ nfs4_setfacl -a 'A::nobody@rug.nl:RWX' ~/.docker.img 
 $ mkfs.ext4 -E root_owner -m0 -L docker ~/.docker.img
 $ chmod 755 ~/.local/share

Now you need to make sure this disk image is mounted when you login. For that you need to edit ~/.pam_mount.conf.xml to contain:

 <?xml version="1.0" encoding="utf-8" ?>
 <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
 <pam_mount>
   <volume fstype="ext4" mountpoint="~/.local/share/docker" options="async,nosuid,loop,exec,noatime,nodev" path="~/.docker.img" />
 </pam_mount>

Then logout and login again (or do ssh 127.0.0.1 exit)

testing docker

$ docker run hello-world
$ docker run -it ubuntu bash
$ docker run -d -p 8881:8080 inanimate/echo-server

Then check in your browser localhost:8881

Standard docker installation

It is still possible to request a standard docker installation (ie. the docker daemon runs as root) for your personal LWP (ie. not for any shared system such as systems in the computer labs or https://vlwp.rug.nl).

Personal use:

- just send a message to mailto:lwp@rug.nl stating your intentions
- by default you will be able to run any container but will not be able to mount a local path into the container.
- these limitations can be lifted on a case by case basis (ie. we have to know about it)