search

webinstall / webi-installer-requests

This is just to house issues for requests for new Webi installers.
Mozilla Public License 2.0
6 stars 13 forks source link

Request for Docker Engine/Docker Compose #28

Open zensharp opened 2 years ago

zensharp commented 2 years ago

Apologies if I'm not the first to request this.

MarAvFe commented 1 year ago

I was interested in the same, but I don't think this is achievable because Docker needs sudo privileges, at least in linux.

Here's a discussion related to Ubuntu.

It mentions things like:

  1. Add user to docker group: but docker group is root equivalent. Which should be done intentionally and using this approach in webi might obscure that step
  2. Create an alias like alias docker=sudo docker: but this still needs sudo, which will not match webi parameters.
MarAvFe commented 1 year ago

I also didn't find another issue requesting for docker engine

coolaj86 commented 7 months ago

I'm exploring this now.

  1. This would need a docker-essentials package to encompass rootless and compose
  2. Docker & Rootless Extras https://download.docker.com/linux/static/stable/ \ it seems like this should work without root (i.e. "rootless"), but there's an issue with newuidmap(?) 
    # newuidmap and newgidmap
sudo apt-get install -y uidmap
    unshare -U sleep 100 &
newuidmap $! 0 $(id -u) 1 1 100000 65536
newgidmap $! 0 $(id -g) 1 1 100000 65536

    See also: https://github.com/containers/buildah/issues/3834#issuecomment-1076083456

  3. Docker Compose: https://github.com/docker/compose/releases/

Note: The legacy Docker install script: https://get.docker.com/

Side note: interesting way to silence apt-get:

sh -c apt-get update -qq >/dev/null
sh -c DEBIAN_FRONTEND=noninteractive apt-get install -y -qq apt-transport-https ca-certificates curl gnupg >/dev/null

Draft installer

#!/bin/sh
set -e
set -u

# Find latest version at https://download.docker.com/linux/static/stable/x86_64/
g_version='25.0.5'
g_arch='x86_64'
if ! test -f ./docker-"${g_version}".tgz; then
    curl -L -O https://download.docker.com/linux/static/stable/"${g_arch}"/docker-"${g_version}".tgz
fi
if ! test -f ./docker-rootless-extras-"${g_version}".tgz; then
    curl -L -O https://download.docker.com/linux/static/stable/"${g_arch}"/docker-rootless-extras-"${g_version}".tgz
fi

echo "Extracting docker-${g_version}.tgz ..."
rm -rf ./docker/
tar xf ./docker-"${g_version}".tgz

echo "Extracting docker-rootless-extras-${g_version}.tgz ..."
rm -rf ./docker-rootless-extras/
tar xf ./docker-rootless-extras-"${g_version}".tgz

echo "Moving to ~/.local/opt/docker-${g_version}"
rm -rf ~/.local/opt/docker-"${g_version}"/
mkdir -p ~/.local/opt/docker-"${g_version}"/
mv ./docker ~/.local/opt/docker-"${g_version}"/bin
mv ./docker-rootless-extras/* ~/.local/opt/docker-"${g_version}"/bin/
rm -rf ~/docker-rootless-extras/
rm -rf ~/.local/opt/docker
ln -sf docker-"${g_version}" ~/.local/opt/docker

#shellcheck disable=SC2016
if ! grep -q -F '"$HOME/.local/opt/docker' ~/.config/envman/PATH.env; then
    echo 'export PATH="$HOME/.local/opt/docker/bin/:$PATH"' >> ~/.config/envman/PATH.env
fi
if ! (echo "$PATH" | grep -q "$HOME/.local/opt/docker/bin"); then
    echo "To update PATH:"
    echo "    source ~/.config/envman/PATH.env"
fi
docker run hello-world

Draft service (daemon) installer

#!/bin/sh
set -e
set -u

#my_username="$(id -u -n)"
my_username=root

if ! test -e ~/.config/docker/daemon.json; then
    mkdir -p ~/.config/docker/
    echo '{}' >> ~/.config/docker/daemon.json
fi

(
    cd ~/.config/docker/
    sudo env PATH="$PATH" \
    serviceman add \
        --path "$PATH" \
        --username "${my_username}" \
        --name docker \
        -- \
        dockerd --config-file ~/.config/docker/daemon.json
)

Note: add --groupname=docker to allow docker

Draft Installer for Docker Compose

#!/bin/sh
set -e
set -u

g_version='v2.26.1'
g_arch='x86_64'

DOCKER_CONFIG="${DOCKER_CONFIG:-$HOME/.docker}"

if ! test -e "$DOCKER_CONFIG/cli-plugins/docker-compose"; then
    mkdir -p "$DOCKER_CONFIG/cli-plugins"
    curl -SL 'https://github.com/docker/compose/releases/download'/"${g_version}"/docker-compose-linux-"${g_arch}" \
        -o "$DOCKER_CONFIG/cli-plugins/docker-compose.tmp"
    mv "$DOCKER_CONFIG/cli-plugins/docker-compose.tmp" "$DOCKER_CONFIG/cli-plugins/docker-compose"
    chmod a+x "$DOCKER_CONFIG/cli-plugins/docker-compose"
fi
docker compose version

System updates

Rootless mode may not be very practical considering that Docker will already be run in a Guest VM or Container, most likely not on a true Host device.

However, it may make sense to run docker as a non-root user:

sudo groupadd docker

my_user="$(id -u -n)"
sudo usermod -aG docker "${my_user}"

Unprivileged containers may need /dev/net/tun added to their config:

/etc/pve/lxc/101.conf:

# ...
unprivileged: 1
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir

Test

docker --version
docker run hello-world

Troubleshooting

Problem: error mounting "proc"

docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "proc" to rootfs at "/proc": mount proc:/proc (via /proc/self/fd/6), flags: 0xe: permission denied: unknown.
ERRO[0003] error waiting for container: context canceled

Possible Solution: Enable nesting

When docker is run in a container, it must have nesting enabled:

Features: nesting=1