Docker rootless: Difference between revisions
m (Remco moved page It is possible to run docker containers on your computer or use them for teaching. to It is possible to run docker containers on your computer or use them for teaching: Die punt is onhandig) |
mNo edit summary |
||
(9 intermediate revisions by 3 users not shown) | |||
Line 5: | Line 5: | ||
You need to prepare your system: | You need to prepare your system: | ||
$ dockerd-rootless-setuptool.sh | $ dockerd-rootless-setuptool.sh | ||
By default this will store docker images in <kbd>~/.local/share/docker</kbd>. Unfortunately this does not work correctly with a network mounted homedisk. | |||
By default this will store docker images in <kbd>~/.local/share/docker</kbd>. Unfortunately this does not work correctly with a network mounted homedisk. There are 2 ways of resolving this, but only use one of them, because they conflict with each other.<br> | |||
'''Solution 1'''<br> | |||
To solve this you need to find a suitable location on your local disk to store files. Usually <kbd>/mnt/D/<subdir></kbd> or <kbd>/var/tmp/<subdir></kbd> are goot choices. | |||
You set this by editing the <kbd>data-root</kbd> in <kbd>~/.config/docker/daemon.json</kbd>. Example: | You set this by editing the <kbd>data-root</kbd> in <kbd>~/.config/docker/daemon.json</kbd>. Example: | ||
$ | $ edit ~/.config/docker/daemon.json to contain: | ||
{ | |||
"data-root": "/mnt/D/<subdir>" | |||
} | |||
$ systemctl --user restart docker | $ systemctl --user restart docker | ||
An alternative approach is to store a small ext4 formatted diskimage in your homedir: | |||
'''Solution 2'''<br> | |||
An alternative approach (make sure to remove <kbd>~/.config/docker/daemon.json</kbd> when you do this!) is to store a small ext4 formatted diskimage in your homedir and make it mountable: | |||
$ truncate -s 25G ~/.docker.img | $ truncate -s 25G ~/.docker.img | ||
$ nfs4_setfacl -a 'A::nobody@rug.nl:X' ~ | $ nfs4_setfacl -a 'A::nobody@rug.nl:X' ~ | ||
$ nfs4_setfacl -a 'A::nobody@rug.nl:RWX' ~/.docker.img | $ nfs4_setfacl -a 'A::nobody@rug.nl:RWX' ~/.docker.img | ||
$ mkfs.ext4 -E root_owner -m0 -L docker ~/.docker.img | $ mkfs.ext4 -E root_owner -m0 -L docker ~/.docker.img | ||
Now you need to make sure this disk image is mounted when you login | $ chmod 755 ~/.local/share | ||
Now you need to make sure this disk image is mounted when you login. For that you need to edit <kbd>~/.pam_mount.conf.xml</kbd> to contain: | |||
<?xml version="1.0" encoding="utf-8" ?> | <?xml version="1.0" encoding="utf-8" ?> | ||
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> | <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> | ||
Line 26: | Line 35: | ||
<volume fstype="ext4" mountpoint="~/.local/share/docker" options="async,nosuid,loop,exec,noatime,nodev" path="~/.docker.img" /> | <volume fstype="ext4" mountpoint="~/.local/share/docker" options="async,nosuid,loop,exec,noatime,nodev" path="~/.docker.img" /> | ||
</pam_mount> | </pam_mount> | ||
Then logout and login again (or do <kbd>ssh 127.0.0.1 exit</kbd>) | Then logout and login again (or do <kbd>ssh 127.0.0.1 exit</kbd>) | ||
Line 38: | Line 47: | ||
== Standard docker installation == | == Standard docker installation == | ||
It is still possible to request a standard docker installation (ie. the docker daemon runs as root). | It is still possible to request a standard docker installation (ie. the docker daemon runs as root) for your personal LWP (ie. not for any shared system such as systems in the computer labs or https://vlwp.rug.nl). | ||
=== Personal use: === | === Personal use: === |
Revision as of 11:25, 30 September 2022
We have made it possible to run docker containers rootless now. Ie. as a normal user, without root access (for in depth info see: https://docs.docker.com/engine/security/rootless).
You need to prepare your system:
$ dockerd-rootless-setuptool.sh
By default this will store docker images in ~/.local/share/docker. Unfortunately this does not work correctly with a network mounted homedisk. There are 2 ways of resolving this, but only use one of them, because they conflict with each other.
Solution 1
To solve this you need to find a suitable location on your local disk to store files. Usually /mnt/D/<subdir> or /var/tmp/<subdir> are goot choices. You set this by editing the data-root in ~/.config/docker/daemon.json. Example:
$ edit ~/.config/docker/daemon.json to contain: { "data-root": "/mnt/D/<subdir>" } $ systemctl --user restart docker
Solution 2
An alternative approach (make sure to remove ~/.config/docker/daemon.json when you do this!) is to store a small ext4 formatted diskimage in your homedir and make it mountable:
$ truncate -s 25G ~/.docker.img $ nfs4_setfacl -a 'A::nobody@rug.nl:X' ~ $ nfs4_setfacl -a 'A::nobody@rug.nl:RWX' ~/.docker.img $ mkfs.ext4 -E root_owner -m0 -L docker ~/.docker.img $ chmod 755 ~/.local/share
Now you need to make sure this disk image is mounted when you login. For that you need to edit ~/.pam_mount.conf.xml to contain:
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <pam_mount> <volume fstype="ext4" mountpoint="~/.local/share/docker" options="async,nosuid,loop,exec,noatime,nodev" path="~/.docker.img" /> </pam_mount>
Then logout and login again (or do ssh 127.0.0.1 exit)
testing docker
$ docker run hello-world $ docker run -it ubuntu bash $ docker run -d -p 8881:8080 inanimate/echo-server
Then check in your browser localhost:8881
Standard docker installation
It is still possible to request a standard docker installation (ie. the docker daemon runs as root) for your personal LWP (ie. not for any shared system such as systems in the computer labs or https://vlwp.rug.nl).
Personal use:
- just send a message to mailto:lwp@rug.nl stating your intentions - by default you will be able to run any container but will not be able to mount a local path into the container. - these limitations can be lifted on a case by case basis (ie. we have to know about it)