Open zensharp opened 2 years ago
I was interested in the same, but I don't think this is achievable because Docker needs sudo privileges, at least in linux.
Here's a discussion related to Ubuntu.
It mentions things like:
docker
group: but docker
group is root equivalent. Which should be done intentionally and using this approach in webi might obscure that stepalias docker=sudo docker
: but this still needs sudo, which will not match webi parameters.I also didn't find another issue requesting for docker engine
I'm exploring this now.
docker-essentials
package to encompass rootless and composenewuidmap
(?)
# newuidmap and newgidmap
sudo apt-get install -y uidmap
unshare -U sleep 100 &
newuidmap $! 0 $(id -u) 1 1 100000 65536
newgidmap $! 0 $(id -g) 1 1 100000 65536
See also: https://github.com/containers/buildah/issues/3834#issuecomment-1076083456
Note: The legacy Docker install script: https://get.docker.com/
Side note: interesting way to silence apt-get:
sh -c apt-get update -qq >/dev/null
sh -c DEBIAN_FRONTEND=noninteractive apt-get install -y -qq apt-transport-https ca-certificates curl gnupg >/dev/null
#!/bin/sh
set -e
set -u
# Find latest version at https://download.docker.com/linux/static/stable/x86_64/
g_version='25.0.5'
g_arch='x86_64'
if ! test -f ./docker-"${g_version}".tgz; then
curl -L -O https://download.docker.com/linux/static/stable/"${g_arch}"/docker-"${g_version}".tgz
fi
if ! test -f ./docker-rootless-extras-"${g_version}".tgz; then
curl -L -O https://download.docker.com/linux/static/stable/"${g_arch}"/docker-rootless-extras-"${g_version}".tgz
fi
echo "Extracting docker-${g_version}.tgz ..."
rm -rf ./docker/
tar xf ./docker-"${g_version}".tgz
echo "Extracting docker-rootless-extras-${g_version}.tgz ..."
rm -rf ./docker-rootless-extras/
tar xf ./docker-rootless-extras-"${g_version}".tgz
echo "Moving to ~/.local/opt/docker-${g_version}"
rm -rf ~/.local/opt/docker-"${g_version}"/
mkdir -p ~/.local/opt/docker-"${g_version}"/
mv ./docker ~/.local/opt/docker-"${g_version}"/bin
mv ./docker-rootless-extras/* ~/.local/opt/docker-"${g_version}"/bin/
rm -rf ~/docker-rootless-extras/
rm -rf ~/.local/opt/docker
ln -sf docker-"${g_version}" ~/.local/opt/docker
#shellcheck disable=SC2016
if ! grep -q -F '"$HOME/.local/opt/docker' ~/.config/envman/PATH.env; then
echo 'export PATH="$HOME/.local/opt/docker/bin/:$PATH"' >> ~/.config/envman/PATH.env
fi
if ! (echo "$PATH" | grep -q "$HOME/.local/opt/docker/bin"); then
echo "To update PATH:"
echo " source ~/.config/envman/PATH.env"
fi
docker run hello-world
#!/bin/sh
set -e
set -u
#my_username="$(id -u -n)"
my_username=root
if ! test -e ~/.config/docker/daemon.json; then
mkdir -p ~/.config/docker/
echo '{}' >> ~/.config/docker/daemon.json
fi
(
cd ~/.config/docker/
sudo env PATH="$PATH" \
serviceman add \
--path "$PATH" \
--username "${my_username}" \
--name docker \
-- \
dockerd --config-file ~/.config/docker/daemon.json
)
Note: add --groupname=docker
to allow docker
#!/bin/sh
set -e
set -u
g_version='v2.26.1'
g_arch='x86_64'
DOCKER_CONFIG="${DOCKER_CONFIG:-$HOME/.docker}"
if ! test -e "$DOCKER_CONFIG/cli-plugins/docker-compose"; then
mkdir -p "$DOCKER_CONFIG/cli-plugins"
curl -SL 'https://github.com/docker/compose/releases/download'/"${g_version}"/docker-compose-linux-"${g_arch}" \
-o "$DOCKER_CONFIG/cli-plugins/docker-compose.tmp"
mv "$DOCKER_CONFIG/cli-plugins/docker-compose.tmp" "$DOCKER_CONFIG/cli-plugins/docker-compose"
chmod a+x "$DOCKER_CONFIG/cli-plugins/docker-compose"
fi
docker compose version
Rootless mode may not be very practical considering that Docker will already be run in a Guest VM or Container, most likely not on a true Host device.
However, it may make sense to run docker as a non-root user:
sudo groupadd docker
my_user="$(id -u -n)"
sudo usermod -aG docker "${my_user}"
Unprivileged containers may need /dev/net/tun
added to their config:
/etc/pve/lxc/101.conf
:
# ...
unprivileged: 1
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir
docker --version
docker run hello-world
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "proc" to rootfs at "/proc": mount proc:/proc (via /proc/self/fd/6), flags: 0xe: permission denied: unknown.
ERRO[0003] error waiting for container: context canceled
When docker is run in a container, it must have nesting enabled:
Features: nesting=1
Apologies if I'm not the first to request this.