Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Nächste Überarbeitung | Vorhergehende Überarbeitung Nächste ÜberarbeitungBeide Seiten der Revision | ||
content:serverbasics:docker [2023/12/19 15:59] – angelegt Daniel | content:serverbasics:docker [2024/04/22 10:14] – Daniel | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | ====== Docker ====== | + | ====== Docker |
- | Docker is a powerful solution for setting up Services. | + | Docker is a powerful solution for setting up Services. |
+ | |||
+ | Currently i am Experimenting on that topic, so maybe this documentation will be ready to use, maybe not. | ||
+ | |||
+ | Docker itself is nice, but it will run as root per default, which is a no-go at all. This will setup Docker in rootless- mode on OpenSuSE (currently Leap 15.5). | ||
+ | |||
+ | ===== Filesystem Layout ===== | ||
+ | |||
+ | Mind, that at the time writing, '' | ||
+ | |||
+ | I personally dislike xfs, especially while its not rubust and won't shrink. I use it anyway, because of its srong advise to do so - with kernel 5.19+ it should be possible to get overlay2 working on btrfs, but still there are thinks that may not work even with that kernel. | ||
+ | |||
+ | So make sure, that the Home-Directory of you docker user is on XFS. The ftype is already ok on SuSE 15.5, check output of '' | ||
+ | |||
+ | Warning: you may have umask set your way - i prefer 007 as writte before. But if you change umask and permissions be very cautious, as docker uses userid- mapping and may change the permissions and ownersets of files in its directory to the subuserid. That may change the ownership in a way, that even the docker user on the host cannot access the Files, which is OK ! | ||
+ | |||
+ | __**STRONG WARNING: Don't change permissions or ownership of docker- directories on the Host directly as this will chage them in the container an break your Services !!!**__ | ||
+ | |||
+ | __**The only way to manage Volume- File- Permissions is to bash inside the running container itself and to change them there!**__ | ||
+ | ===== Packages NOT to install ===== | ||
+ | |||
+ | I had really a lot of troubles with the package in the AddOn- Repository: '' | ||
+ | |||
+ | So i disabled the following packages and locked them to never install: | ||
+ | |||
+ | * docker | ||
+ | * docker-compose | ||
+ | * containerd | ||
+ | |||
+ | Check out beneath for install the docker way. | ||
+ | |||
+ | ===== Docker- User ===== | ||
+ | |||
+ | Create a new **group** | ||
+ | |||
+ | Attention: The Home Directory should be on a volume having XFS as btrfs or others are not fully supported right now (20.04.2024 - patches in new Kernel 5.19 are incoming, but this Kernel is not released until now and still there are some problems open in developement there). | ||
+ | |||
+ | ===== cGroups v2 ===== | ||
+ | |||
+ | OpenSuSE Leap 15.5 does not have cGroups v2 enabled, which are needed by docker. | ||
+ | |||
+ | You may see a warning (later) when running '' | ||
+ | |||
+ | '' | ||
+ | |||
+ | According to this documentation [[https:// | ||
+ | |||
+ | '' | ||
+ | |||
+ | and also the delegation for the user of cpu is needed: | ||
+ | < | ||
+ | |||
+ | $ sudo mkdir -p / | ||
+ | $ cat <<EOF | sudo tee / | ||
+ | [Service] | ||
+ | Delegate=cpu cpuset io memory pids | ||
+ | EOF | ||
+ | $ sudo systemctl daemon-reload | ||
+ | |||
+ | </ | ||
+ | |||
+ | after this, reboot and check if ''/ | ||
+ | |||
+ | After installing docker (see beneath), check if '' | ||
+ | < | ||
+ | |||
+ | Cgroup Driver: systemd | ||
+ | Cgroup Version: 2 | ||
+ | |||
+ | </ | ||
+ | |||
+ | Than, its fine. | ||
+ | |||
+ | ===== Install rootless Docker ===== | ||
+ | |||
+ | Warning: You CANNOT sudo to the user and install docker, while logon via pam is needed, which is not when you sudo. You need to ssh into your machine, or yust logon in a usual way: | ||
+ | |||
+ | < | ||
+ | If you login in the system using either of | ||
+ | - graphical session | ||
+ | - login on terminal (username and password) | ||
+ | - ssh | ||
+ | then the PAM machinery will call pam_systemd, | ||
+ | if you switch user using sudo or su, this will not happen. | ||
+ | |||
+ | </ | ||
+ | |||
+ | I chose to ssh into my machine directly, than check your umask to be secure and install docker like this: | ||
+ | |||
+ | < | ||
+ | # ~> ssh localhost -l docker | ||
+ | Password: | ||
+ | Have a lot of fun... | ||
+ | |||
+ | docker@pcserver2023: | ||
+ | 0007 | ||
+ | |||
+ | docker@pcserver2023: | ||
+ | # Installing stable version 25.0.2 | ||
+ | # Executing docker rootless install script, commit: 3b2a83b | ||
+ | % Total % Received % Xferd Average Speed | ||
+ | | ||
+ | 100 68.2M 100 68.2M 0 | ||
+ | % Total % Received % Xferd Average Speed | ||
+ | | ||
+ | 100 19.7M 100 19.7M 0 | ||
+ | + PATH=/ | ||
+ | + / | ||
+ | [INFO] Creating / | ||
+ | [INFO] starting systemd service docker.service | ||
+ | + systemctl --user start docker.service | ||
+ | + sleep 3 | ||
+ | + systemctl --user --no-pager --full status docker.service | ||
+ | ● docker.service - Docker Application Container Engine (Rootless) | ||
+ | | ||
+ | | ||
+ | Docs: https:// | ||
+ | Main PID: 3270 (rootlesskit) | ||
+ | Tasks: 49 | ||
+ | | ||
+ | CPU: 224ms | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | + DOCKER_HOST=unix:/// | ||
+ | + / | ||
+ | Client: | ||
+ | | ||
+ | API version: | ||
+ | Go version: | ||
+ | Git commit: | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | Server: Docker Engine - Community | ||
+ | | ||
+ | Version: | ||
+ | API version: | ||
+ | Go version: | ||
+ | Git commit: | ||
+ | Built: | ||
+ | OS/ | ||
+ | Experimental: | ||
+ | | ||
+ | Version: | ||
+ | GitCommit: | ||
+ | | ||
+ | Version: | ||
+ | GitCommit: | ||
+ | | ||
+ | Version: | ||
+ | GitCommit: | ||
+ | | ||
+ | Version: | ||
+ | ApiVersion: | ||
+ | NetworkDriver: | ||
+ | PortDriver: | ||
+ | StateDir: | ||
+ | | ||
+ | Version: | ||
+ | + systemctl --user enable docker.service | ||
+ | Created symlink / | ||
+ | [INFO] Installed docker.service successfully. | ||
+ | [INFO] To control docker.service, | ||
+ | [INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger docker` | ||
+ | |||
+ | [INFO] Creating CLI context " | ||
+ | Successfully created context " | ||
+ | [INFO] Using CLI context " | ||
+ | Current context is now " | ||
+ | |||
+ | [INFO] Make sure the following environment variable(s) are set (or add them to ~/ | ||
+ | export PATH=/ | ||
+ | |||
+ | [INFO] Some applications may require the following environment variable too: | ||
+ | export DOCKER_HOST=unix:/// | ||
+ | |||
+ | </ | ||
+ | |||
+ | So, this looks very nice. **Important: | ||
+ | |||
+ | ===== Check Docker install ===== | ||
+ | |||
+ | Log out of docker user if you are still in from install. Then, log back in to apply the bashrc- settings. | ||
+ | |||
+ | Ceck the Environement to have the settings: | ||
+ | < | ||
+ | |||
+ | docker@pcserver2023: | ||
+ | Connection to localhost closed. | ||
+ | obel1x@pcserver2023: | ||
+ | Password: | ||
+ | Last login: Sat Apr 20 15:18:56 2024 from ::1 | ||
+ | Have a lot of fun... | ||
+ | docker@pcserver2023: | ||
+ | unix:/// | ||
+ | |||
+ | </ | ||
+ | |||
+ | Now check '' | ||
+ | |||
+ | < | ||
+ | docker@pcserver2023: | ||
+ | Client: | ||
+ | | ||
+ | | ||
+ | Debug Mode: false | ||
+ | |||
+ | Server: | ||
+ | | ||
+ | Running: 0 | ||
+ | Paused: 0 | ||
+ | Stopped: 0 | ||
+ | | ||
+ | | ||
+ | | ||
+ | Backing Filesystem: xfs | ||
+ | Supports d_type: true | ||
+ | Using metacopy: false | ||
+ | Native Overlay Diff: false | ||
+ | userxattr: true | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | Volume: local | ||
+ | Network: bridge host ipvlan macvlan null overlay | ||
+ | Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog | ||
+ | | ||
+ | | ||
+ | | ||
+ | Init Binary: docker-init | ||
+ | | ||
+ | runc version: v1.1.12-0-g51d5e94 | ||
+ | init version: de40ad0 | ||
+ | | ||
+ | seccomp | ||
+ | | ||
+ | rootless | ||
+ | cgroupns | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | CPUs: 8 | ||
+ | Total Memory: 30.79GiB | ||
+ | Name: pcserver2023 | ||
+ | ID: 45699224-ea9c-4865-8dea-a53bb20b788c | ||
+ | | ||
+ | Debug Mode: false | ||
+ | | ||
+ | | ||
+ | 127.0.0.0/ | ||
+ | Live Restore Enabled: false | ||
+ | | ||
+ | |||
+ | WARNING: bridge-nf-call-iptables is disabled | ||
+ | WARNING: bridge-nf-call-ip6tables is disabled | ||
+ | |||
+ | </ | ||
+ | |||
+ | Important things: | ||
+ | |||
+ | * Storage driver and FS-Type : overlay2 should always be used, btrfs is outdated! XFS and d_type are important! | ||
+ | * CGroup Version needs to be 2 or better | ||
+ | |||
+ | ===== Configuring Docker Daemon ===== | ||
+ | |||
+ | in rootless-mode, | ||
+ | |||
+ | '' | ||
+ | |||
+ | **by default, the path and the file is not existent, create it within the docker user**. | ||
+ | |||
+ | For example, enable ipv6. See [[https:// | ||
+ | < | ||
+ | |||
+ | { | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | } | ||
+ | } | ||
+ | |||
+ | </ | ||
+ | |||
+ | Notice: Don't use '' | ||
+ | |||
+ | ===== Install docker compose ===== | ||
+ | |||
+ | The command '' | ||
+ | |||
+ | Installing it the manual way: | ||
+ | |||
+ | Edit the File '' | ||
+ | < | ||
+ | |||
+ | export DOCKER_CONFIG=${DOCKER_CONFIG: | ||
+ | |||
+ | </ | ||
+ | |||
+ | Then relog to the docker user and do as the doc says to install and check you install: | ||
+ | |||
+ | < | ||
+ | docker@pcserver2023: | ||
+ | docker@pcserver2023: | ||
+ | % Total % Received % Xferd Average Speed | ||
+ | | ||
+ | 0 | ||
+ | 100 59.8M 100 59.8M 0 | ||
+ | docker@pcserver2023: | ||
+ | docker@pcserver2023: | ||
+ | Docker Compose version v2.26.1 | ||
+ | docker@pcserver2023: | ||
+ | |||
+ | </ | ||
+ | |||
+ | Your done with the compose plugin | ||
+ | |||
+ | ===== Create a place for Yamls ===== | ||
+ | |||
+ | Now, that you have compose, you can use it to setup your services with YAML- Files. Each service should have a directory for its own. | ||
+ | |||
+ | Make a directory with '' | ||
+ | |||
+ | ===== First Docker App: Portainer ===== | ||
+ | |||
+ | Now - finally its time for our first running Container. As the Portainer- App is an important Management- Software in Docker for inexperienced users, let's run it in a safe userspaced way now. | ||
+ | |||
+ | As always, SSH into your docker- user and than create the folders and yml-files for docker compose and portainer. | ||
+ | |||
+ | < | ||
+ | obel1x@server: | ||
+ | Password: | ||
+ | docker@pcserver2023: | ||
+ | docker@pcserver2023: | ||
+ | docker@pcserver2023: | ||
+ | docker@pcserver2023: | ||
+ | docker@pcserver2023: | ||
+ | |||
+ | </ | ||
+ | |||
+ | Put the following into that file: | ||
+ | |||
+ | < | ||
+ | services: | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | - 9000:9000 | ||
+ | - 9433:9433 | ||
+ | | ||
+ | - portainer_data:/ | ||
+ | - / | ||
+ | |||
+ | volumes: | ||
+ | | ||
+ | |||
+ | </ | ||
+ | |||
+ | Check, that the Socket- Path is the correct one. | ||
+ | |||
+ | Now start your app and look the magic: | ||
+ | |||
+ | < | ||
+ | docker@pcserver2023: | ||
+ | [+] Running 12/12 | ||
+ | ✔ portainer Pulled | ||
+ | ✔ 379538b6d68e Pull complete | ||
+ | ✔ 4ea3e2c3a39b Pull complete | ||
+ | ✔ 5171176db7f2 Pull complete | ||
+ | ✔ 52e9438966a5 Pull complete | ||
+ | ✔ 43d4775415ac Pull complete | ||
+ | ✔ c1cad9f5200f Pull complete | ||
+ | ✔ 22eab514564f Pull complete | ||
+ | ✔ 962b9fa821a2 Pull complete | ||
+ | ✔ c153fefda5ce Pull complete | ||
+ | ✔ bed990c4615b Pull complete | ||
+ | ✔ 4f4fb700ef54 Pull complete | ||
+ | [+] Running 3/3 | ||
+ | ✔ Network portainer_default | ||
+ | ✔ Volume " | ||
+ | ✔ Container portainer-portainer-1 | ||
+ | docker@pcserver2023: | ||
+ | |||
+ | </ | ||
+ | |||
+ | Now you can go to [[http:// | ||
+ | |||
+ | {{ .: | ||
+ | |||
+ | Thats all: Docker is running and serving your services, cheers! | ||