search

docker-library / docker

Docker Official Image packaging for Docker
Apache License 2.0
1.14k stars 582 forks source link

Unable to run dind-rootless with a non-root user id #414

Closed chatter92 closed 1 year ago

chatter92 commented 1 year ago

Hi, I am trying to run a multi-process container which has docker daemon and jupyter lab running as process inside it. For this, I am using s6-overlay to run jupyterlab as a service and specifying the dockerd-entrypoint.sh as the executable command. My dockerfile looks like this:

FROM docker:dind-rootless

RUN apk add --no-cache python3-dev py3-pip coreutils

ARG CONDA_VERSION="py39_4.12.0"
ARG CONDA_SHA256="78f39f9bae971ec1ae7969f0516017f2413f17796670f7040725dd83fcff5689"
ARG CONDA_DIR="/opt/conda"

ENV PATH="$CONDA_DIR/bin:$PATH"
ENV PYTHONDONTWRITEBYTECODE=1
# Install conda
RUN echo "**** install dev packages ****" && \
    apk add --no-cache --virtual .build-dependencies bash ca-certificates wget && \
    \
    echo "**** get Miniconda ****" && \
    mkdir -p "$CONDA_DIR" && \
    wget "http://repo.continuum.io/miniconda/Miniconda3-${CONDA_VERSION}-Linux-x86_64.sh" -O miniconda.sh && \
    echo "$CONDA_SHA256  miniconda.sh" | sha256sum -c && \
    \
    echo "**** install Miniconda ****" && \
    bash miniconda.sh -f -b -p "$CONDA_DIR" && \
    echo "export PATH=$CONDA_DIR/bin:\$PATH" > /etc/profile.d/conda.sh && \
    \
    echo "**** setup Miniconda ****" && \
    conda update --all --yes && \
    conda config --set auto_update_conda False && \
    \
    echo "**** cleanup ****" && \
    apk del --purge .build-dependencies && \
    rm -f miniconda.sh && \
    conda clean --all --force-pkgs-dirs --yes && \
    find "$CONDA_DIR" -follow -type f \( -iname '*.a' -o -iname '*.pyc' -o -iname '*.js.map' \) -delete && \
    \
    echo "**** finalize ****" && \
    mkdir -p "$CONDA_DIR/locks" && \
    chmod 777 "$CONDA_DIR/locks"

RUN conda install -c conda-forge jupyterlab -y

ARG S6_OVERLAY_VERSION=3.1.4.1

ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz /tmp
RUN tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz
ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-x86_64.tar.xz /tmp
RUN tar -C / -Jxpf /tmp/s6-overlay-x86_64.tar.xz

RUN mkdir -p /etc/services.d/jupyter
COPY jupyter.sh  /etc/services.d/jupyter/run

ENTRYPOINT ["/init"]

CMD /usr/local/bin/dockerd-entrypoint.sh

I also added entries in the subuid ad subgid files following the advice from this page

However, when I try to run the container with a UID, I get the following error:

Device "ip_tables" does not exist.
modprobe: can't change directory to '/lib/modules': No such file or directory
/usr/local/bin/dockerd-entrypoint.sh: line 169: HOME: parameter not set

Can someone please point out what I did wrong?

chatter92 commented 1 year ago

I am also unable to run the dind-rootless base image with a user id. I tried running docker run --privileged --name dind -u <UID>:<GID> docker:dind-rootless and I got the following error:

Device "ip_tables" does not exist.
modprobe: can't change directory to '/lib/modules': No such file or directory
error: attempting to run rootless dockerd but missing necessary entries in /etc/subuid and/or /etc/subgid for 1019

I then added entries to the subuid and subgid files following instructions here Again tried to run as a user and got the following error:

docker run --privileged --name dind -u 1019:1015

Device "ip_tables" does not exist.
modprobe: can't change directory to '/lib/modules': No such file or directory
[rootlesskit:parent] error: failed to setup UID/GID map: newuidmap 66 [0 1019 1 1 66781184 65536 65537 66781184 65536] failed: newuidmap: Target process 66 is owned by a different user: uid:1019 pw_uid:1019 st_uid:1019, gid:1015 pw_gid:1019 st_gid:1015
tianon commented 1 year ago

Not being able to run rootless inside Docker without --privileged is a known limitation (https://github.com/docker-library/docker/pull/165).

Unfortunately, we do not have the bandwidth to provide in-depth integration/deployment/environment debugging or support here; these sorts of questions/requests would be more appropriately posted to a dedicated support forum, such as the Docker Community Slack, Server Fault, Unix & Linux, or Stack Overflow.