Docker

Docker is a powerful solution for setting up Services. This on will give you hints how to setup Docker in a good way.

Currently i am Experimenting on that topic, so maybe this documentation will be ready to use, maybe not.

Docker itself is nice, but it will run as root per default, which is a no-go at all. This will setup Docker in rootless- mode on OpenSuSE (currently Leap 15.5).

While Docker-Rootless is not in the main Repositories, first add the AddOn- Repository: https://download.opensuse.org/repositories/Virtualization:/containers/${releasever}/

Then install the package docker-rootless-extras and its dependencies.

Create a new user and maybe give this user another home-directory, as it will store all files of docker.

Let's say choose home /srv/docker-user for user docker.

Also it may be a good choice, not to have this user added to users group - choose docker as default group.

Warning: You CANNOT sudo to this user and install docker this way, because pam is not loaded when doing this. You need to:

If you login in the system using either of
- graphical session
- login on terminal (username and password)
- ssh
then the PAM machinery will call pam_systemd, and this will setup all needed hooks to use systemctl;
if you switch user using sudo or su, this will not happen.

I chose to ssh into my machine directly:

#> ssh localhost -l docker
#> pwd
/srv/docker-user

#> dockerd-rootless-setuptool.sh check
[INFO] Requirements are satisfied

#> dockerd-rootless-setuptool.sh install
[INFO] Creating /srv/docker-user/.config/systemd/user/docker.service
[INFO] starting systemd service docker.service
+ systemctl --user start docker.service
+ sleep 3
+ systemctl --user --no-pager --full status docker.service
● docker.service - Docker Application Container Engine (Rootless)
    Loaded: loaded (/srv/docker-user/.config/systemd/user/docker.service; disabled; vendor preset: disabled)
    Active: active (running) since Tue 2023-12-19 17:53:39 CET; 3s ago
      Docs: https://docs.docker.com/go/rootless/
  Main PID: 6774 (rootlesskit)
    CGroup: /user.slice/user-1001.slice/user@1001.service/app.slice/docker.service
            ├─ 6774 rootlesskit --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccom
p=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/b
in/dockerd-rootless.sh
            ├─ 6785 /proc/self/exe --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-sec
comp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /us
r/bin/dockerd-rootless.sh
            ├─ 6804 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp 67
85 tap0
            ├─ 6811 dockerd
            └─ 6833 containerd --config /run/user/1001/docker/containerd/containerd.toml
+ DOCKER_HOST=unix:///run/user/1001/docker.sock
+ /usr/bin/docker version
Client:
Version:           24.0.7-ce
API version:       1.43
Go version:        go1.20.12
Git commit:        311b9ff0aa93
Built:             Fri Oct 27 12:00:00 2023
OS/Arch:           linux/amd64
Context:           default

Server:
Engine:
 Version:          24.0.7-ce
 API version:      1.43 (minimum version 1.12)
 Go version:       go1.20.12
 Git commit:       311b9ff0aa93
 Built:            Fri Oct 27 12:00:00 2023
 OS/Arch:          linux/amd64
 Experimental:     false
containerd:
 Version:          v1.7.8
 GitCommit:        8e4b0bde866788eec76735cc77c4720144248fb7
runc:
 Version:          1.1.10
 GitCommit:        v1.1.10-0-g18a0cb0f32bc
docker-init:
 Version:          0.1.7_catatonit
 GitCommit:
rootlesskit:
 Version:          1.1.1
 ApiVersion:       1.1.1
 NetworkDriver:    slirp4netns
 PortDriver:       builtin
 StateDir:         /tmp/rootlesskit687654985
slirp4netns:
 Version:          1.2.0
 GitCommit:        unknown
+ systemctl --user enable docker.service
Created symlink /srv/docker-user/.config/systemd/user/default.target.wants/docker.service → /srv/docker-user/.
config/systemd/user/docker.service.
[INFO] Installed docker.service successfully.
[INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service`
[INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger docker`

[INFO] Creating CLI context "rootless"
Successfully created context "rootless"
[INFO] Using CLI context "rootless"
Current context is now "rootless"

[INFO] Make sure the following environment variable(s) are set (or add them to ~/.bashrc):
export PATH=/usr/bin:$PATH

[INFO] Some applications may require the following environment variable too:
export DOCKER_HOST=unix:///run/user/1001/docker.sock

So, this looks nice.

Mind, that now your volumes are under /srv/docker-user/.local/share/docker/volumes what may not be wanted. i would suggest, that you specify other volumes-directories in the yml-files for each service.

in rootless-mode, the file to configure docker is here:

~/.config/docker/daemon.json

by default, the path and the file is not existent, create it with the user.

For example us another directory für your data in that file:

{
 "log-level": "warn",
 "log-driver": "json-file",
 "data-root": "/srv/docker",
 "storage-driver": "overlay2",
 "log-opts": {
   "max-size": "10m",
   "max-file": "5"
 }
}

Mind, that at the time writing overlay2 is the way to go as storage driver in docker, but it only supports xfs as backing filesystems (with d_type=true which means ftype=1 ).

For checking which filesystem is in use, see docker info, lines under Storage Driver:

Storage Driver: overlay2
 Backing Filesystem: xfs
 Supports d_type: true
 Using metacopy: false
 Native Overlay Diff: false
 userxattr: true

If you create a XFS-Filesystem with Leap 15.5 it will have ftype=1 set, check output of xfs_info <volumename>

For me, i like btrfs a bit more than xfs, so i chose to have three different locations for docker on two filesystems (which are raided lvms. Check out the other docs here):

#> mount | grep /srv
/dev/mapper/vgdata-lvdata on /srv type btrfs (rw,noatime,nodiratime,compress=zstd:3,space_cache,autodefrag,subvolid=5,subvol=/)
/dev/mapper/vgdata-lvdocker on /srv/docker type xfs (rw,**noexec**,noatime,nodiratime,attr2,inode64,logbufs=8,logbsize=32k,sunit=128,swidth=256,noquota)

and in /srv i have

#> ls /srv/ | grep docker
docker #-> for storing docker-data using xfs
docker-compose #-> for my yaml-files
docker-user #-> this is the home of the docker user, containing the executables in user-space

For me i would like the files only be read/writeable for user docker and group docker:

#:~ # cd /srv
#:/srv # chown docker docker* -R
#:/srv # chgrp docker docker* -R
#:/srv # setfacl -m d:u::rwX -R docker*
#:/srv # setfacl -m d:g::rwX -R docker*
#:/srv # setfacl -m d:o::--- -R docker*
#:/srv # setfacl -m o::--- -R docker*
#:/srv # setfacl -m u::rwX -R docker*
#:/srv # setfacl -m g::rwX -R docker*

Unfortunatelly, docker does not care about linux acls and user permissions - or to be more precise: it overwrites them.

So if you would like to have your files really secured from other user, you can create the volume with an umask - e.g.:

docker volume create portainer_data –opt o=umask=0007
That would make all files in the Volume have the right permissions.

In Docker-Compose use this in your yml:

volumes:
  volumename:
    driver_opts:
      device: ""
      type: ""
      o: "umask=0007"

Device and type need to be there, but can be empty to use default values.

Now - finally its time for our first running Container. As the Portainer- App is the most important Management- Software in Docker, let's run it in a safe userspaced way now.

As always, SSH into your docker- user and than create the folders and yml-files for portainer.

obel1x@server:~> ssh localhost -l docker

Password:
docker@server:~> cd /srv/docker-compose/
docker@server:~> mkdir portainer
docker@server:/srv/docker-compose> cd portainer
docker@server:/srv/docker-compose/portainer> getfacl .
# file: .
# owner: docker
# group: docker
user::rwx
group::rwx
other::---
default:user::rwx
default:group::rwx
default:other::---

docker@server:/srv/docker-compose/portainer> touch docker-compose.yml

put the following into that file: