Run the Docker daemon as a non-root user (Rootless mode) | Docker Documentation
Rootless containers with Podman: The basics | Red Hat Developer
一、准备
假定,docker 运行账户为
testuser
id -u
1001
whoami
testuser
grep ^$(whoami): /etc/subuid
testuser:231072:65536
grep ^$(whoami): /etc/subgid
testuser:231072:65536
需要命令 newuidmap 和 newgidmap。 apt安装 uidmap,yum 安装 shadow-utils。
默认安装了,可以检查下。
Isolate containers with a user namespace | Docker Documentation
主机通过两个文件来管理命名空间的映射关系,/etc/subuid和/etc/subgid。通常会在添加、删除用户或组的时候自动配置管理,但是某些系统需要手动管理,比如RHELandCentOS 7.3。
创建文件 /etc/subuid 和 /etc/subgid ,如下
[testuser@VM_201_16_centos ~]$ sudo cat /etc/subuid
testuser:231072:65536
[testuser@VM_201_16_centos ~]$ sudo cat /etc/subgid
testuser:231072:65536
添加 user.max_user_namespaces=28633 到 /etc/sysctl.conf (or /etc/sysctl.d)
执行 sudo sysctl --system
systemctl --user does not work by default. Run dockerd-rootless.sh directly without systemd.
检查有没有安装 docker-ce-rootless-extras
[root@VM_201_16_centos ~]# rpm -ql docker-ce-rootless-extras
/usr/bin/dockerd-rootless-setuptool.sh
/usr/bin/dockerd-rootless.sh
/usr/bin/rootlesskit
/usr/bin/rootlesskit-docker-proxy
二、设置
- 默认已经安装了
shadow-utils,需要升级下,否则会报如下错误
[testuser@VM_201_16_centos ~]$ dockerd-rootless-setuptool.sh install
[ERROR] Missing system requirements. Run the following commands to
[ERROR] install the requirements and run this tool again.
########## BEGIN ##########
sudo sh -eux <<EOF
# Install newuidmap & newgidmap binaries
yum install -y shadow-utils
EOF
########## END ##########
[testuser@VM_201_16_centos ~]$ rpm -qa |grep shadow
shadow-utils-4.1.5.1-24.el7.x86_64
sudo sh -eux <<EOF
# Install newuidmap & newgidmap binaries
yum install -y shadow-utils
EOF
[testuser@VM_201_16_centos ~]$ rpm -qa |grep shadow
shadow-utils-4.6-5.el7.x86_64
- 安装
执行dockerd-rootless-setuptool.sh install
[testuser@VM_201_16_centos ~]$ dockerd-rootless-setuptool.sh check
[INFO] Requirements are satisfied
[testuser@VM_201_16_centos ~]$ dockerd-rootless-setuptool.sh install
[INFO] systemd not detected, dockerd-rootless.sh needs to be started manually:
PATH=/usr/bin:/sbin:/usr/sbin:$PATH dockerd-rootless.sh
[INFO] Creating CLI context "rootless"
Successfully created context "rootless"
[INFO] Use CLI context "rootless"
Current context is now "rootless"
[INFO] Make sure the following environment variables are set (or add them to ~/.bashrc):
export PATH=/usr/bin:$PATH
Some applications may require the following environment variable too:
export DOCKER_HOST=unix:///run/user/1001/docker.sock
三、使用
1. Daemon
因为 centos7尚不支持 systemctl --user start docker 的方式启动,所以得手动启动服务(建议不要使用centos7版本,使用 systemctl --user启动方便很多 )。
设置两个环境变量 $HOME 和 $XDG_RUNTIME_DIR (执行dockerd-rootless-setuptool.sh install后,默认配置好了。如果没有,需要手动设置下)。
[testuser@VM_201_16_centos ~]$ env |grep "HOME\|XDG_RUNTIME_DIR"
HOME=/home/testuser
XDG_RUNTIME_DIR=/run/user/1001
以testuser账户启动服务
[testuser@VM_201_16_centos ~]$ dockerd-rootless.sh
...
INFO[2022-11-03T11:19:44.004611186+08:00] Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address
INFO[2022-11-03T11:19:44.038730513+08:00] Loading containers: done.
INFO[2022-11-03T11:19:44.045649238+08:00] Docker daemon commit=3056208 graphdriver(s)=vfs version=20.10.21
INFO[2022-11-03T11:19:44.045756215+08:00] Daemon has completed initialization
INFO[2022-11-03T11:19:44.072079133+08:00] API listen on /run/user/1001/docker.sock
Socket 默认存放于 $XDG_RUNTIME_DIR/docker.sock。$XDG_RUNTIME_DIR 一般设置为/run/user/$UID。
数据目录默认设置为 ~/.local/share/docker。
daemon 配置目录默认设置为 ~/.config/docker。
客户端配置目录默认设置为 ~/.docker。
2. Client
[testuser@VM_201_16_centos ~]$ docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
22b70bddd3ac: Pull complete
Digest: sha256:6bdd92bf5240be1b5f3bf71324f5e371fe59f0e153b27fa1f1620f78ba16963c
Status: Downloaded newer image for busybox:latest
docker.io/library/busybox:latest
[testuser@VM_201_16_centos ~]$ docker run -d -p 8080:80 nginx
[testuser@VM_201_16_centos ~]$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3ba640ab9b83 nginx "/docker-entrypoint.…" 7 seconds ago Up 3 seconds 0.0.0.0:8080->80/tcp, :::8080->80/tcp confident_chaplygin
网友评论