Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- content:serverbasics:docker [2024/04/20 13:29] – [Install rootless Docker] Daniel
+++ content:serverbasics:docker [2024/05/18 11:11] (aktuell) – [Update] Daniel
@@ Zeile 1: / Zeile 1: @@
-====== Docker (rootless) ======
+====== Docker (rootless) + Portainer ======
 Docker is a powerful solution for setting up Services. This on will give you hints how to setup Docker in a good way.
@@ Zeile 7: / Zeile 7: @@
 Docker itself is nice, but it will run as root per default, which is a no-go at all. This will setup Docker in rootless- mode on OpenSuSE (currently Leap 15.5).
-===== Package =====
+===== Filesystem Layout =====
+Mind, that at the time writing, ''overlay2'' is the way to go as storage driver in docker, but it only supports xfs as backing filesystems (with ''d_type=true'' which means ''ftype=1'' ).
+I personally dislike xfs, especially while its not rubust and won't shrink. I use it anyway, because of its srong advise to do so - with kernel 5.19+ it should be possible to get overlay2 working on btrfs, but still there are thinks that may not work even with that kernel.
+So make sure, that the Home-Directory of you docker user is on XFS. The ftype is already ok on SuSE 15.5, check output of ''xfs_info <volumename>''.
+Warning: you may have umask set your way - i prefer 007 as writte before. But if you change umask and permissions be very cautious, as docker uses userid- mapping and may change the permissions and ownersets of files in its directory to the subuserid. That may change the ownership in a way, that even the docker user on the host cannot access the Files, which is OK !
+__**STRONG WARNING: Don't change permissions or ownership of docker- directories on the Host directly as this will chage them in the container an break your Services !!!**__
+__**The only way to manage Volume- File- Permissions is to bash inside the running container itself and to change them there!**__
+===== Packages NOT to install =====
 I had really a lot of troubles with the package in the AddOn- Repository: ''[[https://download.opensuse.org/repositories/Virtualization:/containers/${releasever}/|https://download.opensuse.org/repositories/Virtualization:/containers/${releasever}/]]'' while they are not installing docker the same way, that docker would do. For example they will not be installed in User-Subspace only, but will use systems Docker executables installed in global paths. This is a problem when using btrfs - as btrfs is not fully compatible with docker. So i won't use this any more.
+So i disabled the following packages and locked them to never install:
+  * docker
+  * docker-compose
+  * containerd
 Check out beneath for install the docker way.
-===== User =====
+===== Docker- User =====
-Create a new **group** called **docker** and a new **user** called **docker**. Make the user have the **default group docker**.
+Create a new **group**  called **docker**  and a new **user**  called **docker**. Make the user have the **default group docker**.
 Attention: The Home Directory should be on a volume having XFS as btrfs or others are not fully supported right now (20.04.2024 - patches in new Kernel 5.19 are incoming, but this Kernel is not released until now and still there are some problems open in developement there).
@@ Zeile 21: / Zeile 40: @@
 ===== cGroups v2 =====
-OpenSuSE Leap 15.5 does not seem to have cGroups v2 enabled.
+OpenSuSE Leap 15.5 does not have cGroups v2 enabled, which are needed by docker.
 You may see a warning (later) when running ''docker info'':
@@ Zeile 43: / Zeile 62: @@
 </file>
-after this, reboot and check if ''/sys/fs/cgroup/cgroup.controllers'' is present
+after this, reboot and check if ''/sys/fs/cgroup/cgroup.controllers''  is present
-After installing docker (see beneath), check if ''docker info'' says:
+After installing docker (see beneath), check if ''docker info''  says:
 <file>
@@ Zeile 165: / Zeile 184: @@
 </code>
-So, this looks very nice. **Important:** Do what the Installation says with the file ''~/.bashrc''
+So, this looks very nice. **Important:**  Do what the Installation says with the file ''~/.bashrc''
+===== Check Docker install =====
-==== Optional Docker- Directory ====
+Log out of docker user if you are still in from install. Then, log back in to apply the bashrc- settings.
+Ceck the Environement to have the settings:
+<code>
+docker@pcserver2023:~> Abgemeldet
+Connection to localhost closed.
+obel1x@pcserver2023:~> ssh localhost -l docker
+Password:
+Last login: Sat Apr 20 15:18:56 2024 from ::1
+Have a lot of fun...
+docker@pcserver2023:~> echo $DOCKER_HOST
+unix:///run/user/1001/docker.sock
+</code>
+Now check ''docker info'':
+<code>
+docker@pcserver2023:~> docker info
+Client:
+ Version:    25.0.2
+ Context:    default
+ Debug Mode: false
+Server:
+ Containers: 0
+  Running: 0
+  Paused: 0
+  Stopped: 0
+ Images: 0
+ Server Version: 25.0.2
+ Storage Driver: overlay2
+  Backing Filesystem: xfs
+  Supports d_type: true
+  Using metacopy: false
+  Native Overlay Diff: false
+  userxattr: true
+ Logging Driver: json-file
+ Cgroup Driver: systemd
+ Cgroup Version: 2
+ Plugins:
+  Volume: local
+  Network: bridge host ipvlan macvlan null overlay
+  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
+ Swarm: inactive
+ Runtimes: io.containerd.runc.v2 runc
+ Default Runtime: runc
+ Init Binary: docker-init
+ containerd version: 7c3aca7a610df76212171d200ca3811ff6096eb8
+ runc version: v1.1.12-0-g51d5e94
+ init version: de40ad0
+ Security Options:
+  seccomp
+   Profile: builtin
+  rootless
+  cgroupns
+ Kernel Version: 5.14.21-150500.55.52-default
+ Operating System: openSUSE Leap 15.5
+ OSType: linux
+ Architecture: x86_64
+ CPUs: 8
+ Total Memory: 30.79GiB
+ Name: pcserver2023
+ ID: 45699224-ea9c-4865-8dea-a53bb20b788c
+ Docker Root Dir: /home/docker/.local/share/docker
+ Debug Mode: false
+ Experimental: false
+ Insecure Registries:
+.0.0.0/8
+ Live Restore Enabled: false
+ Product License: Community Engine
+WARNING: bridge-nf-call-iptables is disabled
+WARNING: bridge-nf-call-ip6tables is disabled
+</code>
+Important things:
+  * Storage driver and FS-Type : overlay2 should always be used, btrfs is outdated! XFS and d_type are important!
+  * CGroup Version needs to be 2 or better
+===== Configuring Docker Daemon =====
 in rootless-mode, the file to configure docker is here:
@@ Zeile 174: / Zeile 277: @@
 ''~/.config/docker/daemon.json''
-by default, the path and the file is not existent, create it with the user.
+**by default, the path and the file is not existent, __create it new__  within the docker user**.
-For example use another directory für your data in that file:
+For example, enable IPv6. See [[https://docs.docker.com/config/daemon/ipv6/|https://docs.docker.com/config/daemon/ipv6/]] for details.
 <file>
 {
- "log-level": "warn",
- "log-driver": "json-file",
  "experimental": true,
  "ip6tables": true,
- "data-root": "/srv/docker",
+ "ipv6": true,
- "storage-driver": "overlay2",
+ "fixed-cidr-v6": "fd12:3456:789a:1::/64",
  "log-opts": {
    "max-size": "10m",
@@ Zeile 194: / Zeile 295: @@
 </file>
-Here, ipv6 support has been turned on. See [[https://docs.docker.com/config/daemon/ipv6/|https://docs.docker.com/config/daemon/ipv6/]] for details.
+You need to adjust cidr to match your network, check first 4 blocks of ''ip addr''
-Notice: Don't use ''userns-remap'' - this won't work and makes no sense.
+Notice: Don't use ''userns-remap''  - this won't work and makes no sense in rootless.
-===== Filesystem Layout =====
-Mind, that at the time writing ''overlay2'' is the way to go as storage driver in docker, but it only supports xfs as backing filesystems (with ''d_type=true'' which means ''ftype=1'' ).
+===== Install docker compose =====
-I personally dislike xfs, especially while its not rubust and won't shrink. I use it anyway, because of its srong advise to do so - with kernel 5.19+ it should be possible to get overlay2 working on btrfs.
+The command ''docker-compose''  has been obsoleted and been replaced by a plugin ''compose''  for docker (see [[https://docs.docker.com/compose/install/|https://docs.docker.com/compose/install/]]).
-For checking which filesystem is in use, see ''docker info'', lines under ''Storage Driver'':
+Installing it the manual way:
-<file>
-Storage Driver: overlay2
+Edit the File ''~/.bashrc''  and add:
- Backing Filesystem: xfs
- Supports d_type: true
- Using metacopy: false
- Native Overlay Diff: false
- userxattr: true
-</file>
-If you create a XFS-Filesystem with Leap 15.5 it will have ''ftype=1'' set, check output of ''xfs_info <volumename>''
-For me, i like btrfs a bit more than xfs, so i chose to have three different locations for docker on two filesystems (which are raided lvms. Check out the other docs here):
-<file>
-#> mount | grep /srv
-/dev/mapper/vgdata-lvdata on /srv type btrfs (rw,noatime,nodiratime,compress=zstd:3,space_cache,autodefrag,subvolid=5,subvol=/)
-/dev/mapper/vgdata-lvdocker on /srv/docker type xfs (rw,**noexec**,noatime,nodiratime,attr2,inode64,logbufs=8,logbsize=32k,sunit=128,swidth=256,noquota)
-</file>
-and in /srv i have
-<file>
-#> ls /srv/ | grep docker
-docker #-> for storing docker-data using xfs
-docker-compose #-> for my yaml-files
-docker-user #-> this is the home of the docker user, containing the executables in user-space
-</file>
-==== ... and the permissions of the files ====
-For me i would like the files only be read/writeable for user docker and group docker, which is very safe:
 <code>
-#:~ # cd /srv
+export DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker}
-#:/srv # chown docker docker* -R
-#:/srv # chgrp docker docker* -R
-#:/srv # setfacl -m d:u::rwX -R docker*
-#:/srv # setfacl -m d:g::rwX -R docker*
-#:/srv # setfacl -m d:o::--- -R docker*
-#:/srv # setfacl -m u::rwX -R docker*
-#:/srv # setfacl -m g::rwX -R docker*
-#:/srv # setfacl -m o::--- -R docker*
 </code>
-That way, others do not have any access to the files or folders.
+Then relog to the docker user and do as the doc says to install and check you install:
-=== Compatibility Mode ===
-There are Dockers out there, that are not aware of rootless-modes. One example (date up to now) is phpmyadmin. It will create files in docker-start- script and they will have the default permissions - which are safe, but now won't work any more.
-So you may change the default for others to be readable:
 <code>
-#:~ # cd /srv
+docker@pcserver2023:~> mkdir -p $DOCKER_CONFIG/cli-plugins
-#:/srv # setfacl -m d:o::r-X -R /srv/docker
+docker@pcserver2023:~> curl -SL https://github.com/docker/compose/releases/download/v2.26.1/docker-compose-linux-x86_64 -o $DOCKER_CONFIG/cli-plugins/docker-compose
-#:/srv # setfacl -m o::r-X -R /srv/docker
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
-#:/srv # setfacl -m d:o::--- -R /srv/docker/volumes
+                                 Dload  Upload   Total   Spent    Left  Speed
-#:/srv # setfacl -m o::--- -R /srv/docker/volumes
+     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
+59.8M  100 59.8M    0     0  9951k      0  0:00:06  0:00:06 --:--:-- 11.4M
+docker@pcserver2023:~> chmod +x $DOCKER_CONFIG/cli-plugins/docker-compose
+docker@pcserver2023:~> docker compose version
+Docker Compose version v2.26.1
+docker@pcserver2023:~>
 </code>
-The docker- daemon will create all files that are downloaded and created in a container as the facls are set if not forced to have other permissions by the docker-app itself.
+Your done with the compose plugin
-=== Volume- Permissions ===
+===== Update =====
-Usually all the data- files are kept in Volumes. Unfortunatelly, docker does not care about linux acls and user permissions in Volumes - or to be more precise: it overwrites them.
+If you want to update your docker- installation, there is not update- process but to use the same script again:
-So if you would like to have your files really secured from other user, you can create the volume with an umask - e.g.:
+<file>
+#!/bin/bash
+#Upgrade docker rootless and plugin
+systemctl --user stop docker
+rm -f ~/bin/dockerd
+curl -fsSL https://get.docker.com/rootless | sh
+#need to give the new binary permissions to acces privileged network ports (beneath 1024)
+sudo setcap 'cap_net_bind_service=+ep' ~/bin/rootlesskit
-''docker volume create portainer_data –opt o=umask=0007'' \\
+# If you installed docker compose, check the newest version first at https://github.com/docker/compose/releases/latest
-That would make all files in the Volume have the right permissions.
+curl -SL https://github.com/docker/compose/releases/download/v2.27.0/docker-compose-linux-x86_64 -o $DOCKER_CONFIG/cli-plugins/docker-compose
-In Docker-Compose use this in your yml:
+</file>
-<code>
-volumes:
-  volumename:
-    driver_opts:
-      device: ""
-      type: ""
-      o: "umask=0007"
-</code>
+===== Create a place for Yamls =====
+Now, that you have compose, you can use it to setup your services with YAML- Files. Each service should have a directory for its own.
-Device and type need to be there, but can be empty to use default values.
+Make a directory with ''mkdir ~/docker_compose''  and change to it.
 ===== First Docker App: Portainer =====
-Now - finally its time for our first running Container. As the Portainer- App is the most important Management- Software in Docker, let's run it in a safe userspaced way now.
+Now - finally its time for our first running Container. As the Portainer- App is an important Management- Software in Docker for inexperienced users, let's run it in a safe userspaced way now.
-As always, SSH into your docker- user and than create the folders and yml-files for portainer.
+As always, SSH into your docker- user and than create the folders and yml-files for docker compose and portainer.
+<code>
-<code>
 obel1x@server:~> ssh localhost -l docker
 Password:
-docker@server:~> cd /srv/docker-compose/
+docker@pcserver2023:~> cd ~/docker_compose
-docker@server:~> mkdir portainer
+docker@pcserver2023:~/docker_compose> mkdir portainer
-docker@server:/srv/docker-compose> cd portainer
+docker@pcserver2023:~/docker_compose> cd portainer
-docker@server:/srv/docker-compose/portainer> getfacl .
+docker@pcserver2023:~/docker_compose> touch docker-compose.yml
-# file: .
+docker@pcserver2023:~/docker_compose>
-# owner: docker
-# group: docker
-user::rwx
-group::rwx
-other::---
-default:user::rwx
-default:group::rwx
-default:other::---
-docker@server:/srv/docker-compose/portainer> touch docker-compose.yml
 </code>
-put the following into that file:
+Put the following into that file:
 <file>
-version: "3.8"
 services:
  portainer:
@@ Zeile 340: / Zeile 388: @@
 volumes:
  portainer_data:
-   driver_opts:
-     device: ""
-     type: ""
-     o: "umask=0007"
 </file>
-now start your app:
+Check, that the Socket- Path is the correct one.
-<code>
+Now start your app and look the magic:
-docker@server:~> docker-compose up -d
-[...]
-⠿ Container portainer-portainer-1    Started
-</code>
-Check the volume has been created at the right location and do have the right umask set:
 <code>
-docker@server:~> docker volume inspect portainer_portainer_data
+docker@pcserver2023:~/docker_compose/portainer> docker compose up -d
-[
+[+] Running 12/12
-{
+ ✔ portainer Pulled                                                                                                            17.6s
-"CreatedAt": "2023-12-21T09:37:16+01:00",
+   ✔ 379538b6d68e Pull complete                                                                                                 0.5s
-"Driver": "local",
+   ✔ 4ea3e2c3a39b Pull complete                                                                                                 0.5s
-"Labels": {
+   ✔ 5171176db7f2 Pull complete                                                                                                 3.8s
-"com.docker.compose.project": "portainer",
+   ✔ 52e9438966a5 Pull complete                                                                                                 6.5s
-"com.docker.compose.version": "2.14.2",
+   ✔ 43d4775415ac Pull complete                                                                                                 6.7s
-"com.docker.compose.volume": "portainer_data"
+   ✔ c1cad9f5200f Pull complete                                                                                                 9.6s
-},
+   ✔ 22eab514564f Pull complete                                                                                                 7.1s
-"Mountpoint": "**/srv/docker/volumes/portainer_portainer_data/_data**",
+   ✔ 962b9fa821a2 Pull complete                                                                                                10.0s
-"Name": "portainer_portainer_data",
+   ✔ c153fefda5ce Pull complete                                                                                                10.9s
-"Options": {
+   ✔ bed990c4615b Pull complete                                                                                                10.2s
-"device": "_ckgedit>,
+   ✔ 4f4fb700ef54 Pull complete                                                                                                10.5s
-**"o": "umask=0007"**,
+[+] Running 3/3
-"type": "_ckgedit>
+ ✔ Network portainer_default          Created                                                                                   0.2s
-},
+ ✔ Volume "portainer_portainer_data"  Created                                                                                   0.1s
-"Scope": "local"
+ ✔ Container portainer-portainer-1    Started                                                                                   0.3s
-}
+docker@pcserver2023:~/docker_compose/portainer>
-]
 </code>
-and finally if the files have been created only readable by the user:
+Now you can go to [[http://localhost:9000|http://localhost:9000]] and pick a password to finish the setup of Portainer using the local Environment and enjoy the docker-party:
-<code>
-ls /srv/docker/volumes/portainer_portainer_data/* -l -R
--rw——- 1 docker docker 77 21. Dez 09:37 /srv/docker/volumes/portainer_portainer_data/opts.json
-/srv/docker/volumes/portainer_portainer_data/_data:
-insgesamt 40
-drwx——+ 2 docker docker 6 21. Dez 09:37 bin
-drwx——+ 2 docker docker 37 21. Dez 09:37 certs
-drwx——+ 2 docker docker 29 21. Dez 09:37 chisel
-drwx——+ 2 docker docker 6 21. Dez 09:37 compose
-drwx——+ 2 docker docker 25 21. Dez 09:37 docker_config
--rw——- 1 docker docker 65536 21. Dez 09:37 portainer.db
--rw——- 1 docker docker 227 21. Dez 09:37 portainer.key
--rw——- 1 docker docker 190 21. Dez 09:37 portainer.pub
-drwx——+ 2 docker docker 6 21. Dez 09:37 tls
-/srv/docker/volumes/portainer_portainer_data/_data/bin:
-insgesamt 0
-/srv/docker/volumes/portainer_portainer_data/_data/certs:
-insgesamt 8
--rw——- 1 docker docker 518 21. Dez 09:37 cert.pem
--rw——- 1 docker docker 227 21. Dez 09:37 key.pem
-/srv/docker/volumes/portainer_portainer_data/_data/chisel:
-insgesamt 4
--rw——- 1 docker docker 227 21. Dez 09:37 private-key.pem
-/srv/docker/volumes/portainer_portainer_data/_data/compose:
-insgesamt 0
-/srv/docker/volumes/portainer_portainer_data/_data/docker_config:
-insgesamt 4
--rw-r—– 1 docker docker 389 21. Dez 09:37 config.json
-/srv/docker/volumes/portainer_portainer_data/_data/tls:
-insgesamt 0
-</code>
-this is amazing, right ;) ?
-Now you can go to [[http://localhost:9000|http://localhost:9000]] and finish the setup of Portainer using the local environement and enjoy the docker-party:
 {{  .:screenshot_20231221_101150.png?968x260  }}
-Thats all here, cheers!
+Thats all: Docker is running and serving your services, cheers!