Docker rootless: Difference between revisions
m (Remco moved page It is possible to run docker containers on your computer or use them for teaching. to It is possible to run docker containers on your computer or use them for teaching: Die punt is onhandig) |
No edit summary |
||
(5 intermediate revisions by 2 users not shown) | |||
Line 5: | Line 5: | ||
You need to prepare your system: | You need to prepare your system: | ||
$ dockerd-rootless-setuptool.sh | $ dockerd-rootless-setuptool.sh | ||
By default this will store docker images in <kbd>~/.local/share/docker</kbd>. Unfortunately this does not work correctly with a network mounted homedisk. | |||
By default this will store docker images in <kbd>~/.local/share/docker</kbd>. Unfortunately this does not work correctly with a network mounted homedisk. There are 2 ways of resolving this, but only use one of them, because they conflict with each other.<br> | |||
'''Solution 1'''<br> | |||
To solve this you need to find a suitable location on your local disk to store files. Usually <kbd>/mnt/D</kbd> is a good location. | |||
You set this by editing the <kbd>data-root</kbd> in <kbd>~/.config/docker/daemon.json</kbd>. Example: | You set this by editing the <kbd>data-root</kbd> in <kbd>~/.config/docker/daemon.json</kbd>. Example: | ||
$ d=/mnt/D/docker; f=~/.config/docker/daemon.json | $ d=/mnt/D/docker; f=~/.config/docker/daemon.json | ||
Line 13: | Line 18: | ||
You can also edit this file with a text editor. | You can also edit this file with a text editor. | ||
'''Solution 2'''<br> | |||
An alternative approach is to store a small ext4 formatted diskimage in your homedir: | An alternative approach is to store a small ext4 formatted diskimage in your homedir: | ||
Line 19: | Line 26: | ||
$ nfs4_setfacl -a 'A::nobody@rug.nl:RWX' ~/.docker.img | $ nfs4_setfacl -a 'A::nobody@rug.nl:RWX' ~/.docker.img | ||
$ mkfs.ext4 -E root_owner -m0 -L docker ~/.docker.img | $ mkfs.ext4 -E root_owner -m0 -L docker ~/.docker.img | ||
$ chmod 755 ~/.local/share | |||
Now you need to make sure this disk image is mounted when you login: | Now you need to make sure this disk image is mounted when you login: | ||
$ cat ~/.pam_mount.conf <<EOF | $ cat ~/.pam_mount.conf.xml <<EOF | ||
<?xml version="1.0" encoding="utf-8" ?> | <?xml version="1.0" encoding="utf-8" ?> | ||
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> | <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> | ||
Line 38: | Line 46: | ||
== Standard docker installation == | == Standard docker installation == | ||
It is still possible to request a standard docker installation (ie. the docker daemon runs as root). | It is still possible to request a standard docker installation (ie. the docker daemon runs as root) for your personal LWP (ie. not for any shared system such as systems in the computer labs or https://vlwp.rug.nl). | ||
=== Personal use: === | === Personal use: === |
Revision as of 15:05, 28 April 2022
We have made it possible to run docker containers rootless now. Ie. as a normal user, without root access (for in depth info see: https://docs.docker.com/engine/security/rootless).
You need to prepare your system:
$ dockerd-rootless-setuptool.sh
By default this will store docker images in ~/.local/share/docker. Unfortunately this does not work correctly with a network mounted homedisk. There are 2 ways of resolving this, but only use one of them, because they conflict with each other.
Solution 1
To solve this you need to find a suitable location on your local disk to store files. Usually /mnt/D is a good location. You set this by editing the data-root in ~/.config/docker/daemon.json. Example:
$ d=/mnt/D/docker; f=~/.config/docker/daemon.json $ mkdir -p $d $ echo "$((cat $f || echo {}) | jq '."data-root" = "'$d'"')" > $f $ systemctl --user restart docker
You can also edit this file with a text editor.
Solution 2
An alternative approach is to store a small ext4 formatted diskimage in your homedir:
$ truncate -s 25G ~/.docker.img $ nfs4_setfacl -a 'A::nobody@rug.nl:X' ~ $ nfs4_setfacl -a 'A::nobody@rug.nl:RWX' ~/.docker.img $ mkfs.ext4 -E root_owner -m0 -L docker ~/.docker.img $ chmod 755 ~/.local/share
Now you need to make sure this disk image is mounted when you login:
$ cat ~/.pam_mount.conf.xml <<EOF <?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <pam_mount> <volume fstype="ext4" mountpoint="~/.local/share/docker" options="async,nosuid,loop,exec,noatime,nodev" path="~/.docker.img" /> </pam_mount> EOF
Then logout and login again (or do ssh 127.0.0.1 exit)
testing docker
$ docker run hello-world $ docker run -it ubuntu bash $ docker run -d -p 8881:8080 inanimate/echo-server
Then check in your browser localhost:8881
Standard docker installation
It is still possible to request a standard docker installation (ie. the docker daemon runs as root) for your personal LWP (ie. not for any shared system such as systems in the computer labs or https://vlwp.rug.nl).
Personal use:
- just send a message to mailto:lwp@rug.nl stating your intentions - by default you will be able to run any container but will not be able to mount a local path into the container. - these limitations can be lifted on a case by case basis (ie. we have to know about it)