Docker rootless

From LWP-Wiki
Revision as of 14:44, 28 June 2021 by Chris (talk | contribs)
Jump to navigation Jump to search


We have made it possible to run docker containers rootless now. Ie. as a normal user, without root access (for in depth info see: https://docs.docker.com/engine/security/rootless).

You need to prepare your system:

 $ dockerd-rootless-setuptool.sh

By default this will store docker images in ~/.local/share/docker. Unfortunately this does not work correctly with a network mounted homedisk. To solve this you need to find a suitable location on your local disk to store files. Usually /mnt/D is a good location. You set this by editing the data-root in ~/.config/docker/daemon.json. Example:

 $ d=/mnt/D/docker; f=~/.config/docker/daemon.json
 $ mkdir -p $d
 $ echo "$((cat $f || echo {}) | jq '."data-root" = "'$d'"')" > $f
 $ systemctl --user restart docker

You can also edit this file with a text editor.

An alternative approach is to store a small ext4 formatted diskimage in your homedir:

 $ truncate -s 25G ~/.docker.img
 $ nfs4_setfacl -a 'A::nobody@rug.nl:X' ~
 $ nfs4_setfacl -a 'A::nobody@rug.nl:RWX' ~/.docker.img 
 $ mkfs.ext4 -E root_owner -m0 -L docker ~/.docker.img

Now you need to make sure this disk image is mounted when you login:

 $ cat ~/.pam_mount.conf <<EOF
 <?xml version="1.0" encoding="utf-8" ?>
 <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
 <pam_mount>
   <volume fstype="ext4" mountpoint="~/.local/share/docker" options="async,nosuid,loop,exec,noatime,nodev" path="~/.docker.img" />
 </pam_mount>
 EOF

Then logout and login again (or do ssh 127.0.0.1 exit)

testing docker

$ docker run hello-world
$ docker run -it ubuntu bash
$ docker run -d -p 8881:8080 inanimate/echo-server

Then check in your browser localhost:8881

Standard docker installation

It is still possible to request a standard docker installation (ie. the docker daemon runs as root).

Personal use:

- just send a message to mailto:lwp@rug.nl stating your intentions
- by default you will be able to run any container but will not be able to mount a local path into the container.
- these limitations can be lifted on a case by case basis (ie. we have to know about it)