Rootless Docker

[gilesknap]

Consider mandating rootless docker for epics-containers. As per https://epics-containers.github.io/main/explanations/rootless.html

• However, if net host does not work that would be an issue - see https://docs.docker.com/engine/security/rootless/#:~:text=Host%20network%20(,namespaced%20inside%20RootlessKit
• also verify that devcontainer works with it
• also need a solution for restarting containers when the host is rebooted (rootful does this by default - I think you can set a flag on the user to allow startup of user services?)

[gilesknap]

Also see easier switch between modes https://docs.docker.com/engine/security/rootless/#:~:text=docker%20context%20use%20rootless

[gilesknap]

I've tested rootless docker and --network host. It looks like it does not behave like podman and the PVs are not exposed to the host (although they are exposed to phoebus running in a container with network host).

Demo here https://github.com/epics-containers/example-services/tree/network-host-rootless

For simplicity in that case I think we stick with rootfull dcoker for now - we already have that working and it seems that more thought would be needed to use epics-containers in production without kubernetes. It's probably resolvable - but I don't actually have any customers for non-K8S yet, so will leave it for now.