Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- content:serverbasics:docker [2024/04/20 14:31] – [First Docker App: Portainer] Daniel
+++ content:serverbasics:docker [2025/02/08 11:30] (aktuell) – [Update] Daniel
@@ Zeile 1: / Zeile 1: @@
-====== Docker (rootless) ======
+====== Docker (rootless) + Portainer ======
-Docker is a powerful solution for setting up Services. This on will give you hints how to setup Docker in a good way.
+Docker is a powerful solution for setting up Services. This short Introducion will give you hints how to setup Docker in a good way in userspace, so no root-access is needed for Docker.
-Currently i am Experimenting on that topic, so maybe this documentation will be ready to use, maybe not.
+Currently i am experimenting on that topic, so maybe this documentation will be ready to use, maybe not.
 Docker itself is nice, but it will run as root per default, which is a no-go at all. This will setup Docker in rootless- mode on OpenSuSE (currently Leap 15.5).
+__**Warning: This is a very strong advise NOT to use docker default in rootmode at all! **__  The reason is, that any service is able to talk to the Docker Daemon if there is a connection to the Docker socket in the Volumes (which some services require) - or simply if thers a bug somewhere. By that way, the Docker Container will be able to set up ANY service and bind ANY location on the Host, that the docker user may be able to see. So if the Service gets taken over and the service ist runnig as root… you know where you are.
+So just: Don't set up Docker rootfull at all if possible - its even not neeeded nowadays.
 ===== Filesystem Layout =====
-Mind, that at the time writing, ''overlay2'' is the way to go as storage driver in docker, but it only supports xfs as backing filesystems (with ''d_type=true'' which means ''ftype=1'' ).
+Mind, that at the time writing, ''overlay2'' is the way to go as storage driver in docker, but it only supports xfs as backing filesystems (with ''d_type=true'' which means ''ftype=1'' ) for full support.
-I personally dislike xfs, especially while its not rubust and won't shrink. I use it anyway, because of its srong advise to do so - with kernel 5.19+ it should be possible to get overlay2 working on btrfs, but still there are thinks that may not work even with that kernel.
+I personally dislike xfs, especially while its not rubust and won't shrink. I use it anyway, because of its srong advise to do so - with kernel 5.19+ it should be possible to get overlay2 working on btrfs, but still there are things that may not work even with that kernel - in the worst case, docker is unable to unlink files, so there will be huge Containers and Volumes and maybe Services will break.
 So make sure, that the Home-Directory of you docker user is on XFS. The ftype is already ok on SuSE 15.5, check output of ''xfs_info <volumename>''.
-Warning: you may have umask set your way - i prefer 007 as writte before. But if you change umask and permissions be very cautious, as docker uses userid- mapping and may change the permissions and ownersets of files in its directory to the subuserid. That may change the ownership in a way, that even the docker user on the host cannot access the Files, which is OK !
+Warning: you may have umask set your way - i prefer 007 as written before. But if you change umask and permissions be very cautious, as docker uses userid- mapping and may change the permissions and ownersets of files in its directory to the subuserid.
+That may change the ownership in a way, that even the docker user on the host cannot access the Files, which is OK !
+__**STRONG WARNING: Don't change permissions or ownership of docker- directories on the Host directly as this will change them in the container, making them unavaiable and break your Services !!!**__
+__**The only way to manage Volume- File- Permissions is to bash inside the running container itself and to change them there (to the right values of course)!**__
-__**STRONG WARNING: Don't change permissions or ownership of docker- directories on the Host directly as this will chage them in the container an break your Services !!!**__
+A short hint: Docker rootless uses Sub(g)uids, which is a feature of Linux. That means each user has a range of userids (quite a huge range) and groupid which the user may use. Those will be exclusive reserved for that user. But it does not mean, that the User can acces the Files created by those Subuids! Also the UIDs are onyl a number - not a real user in Linux having a username- They cannot be used to logon or to work with. Docker manages internally which Host-Subuserid is assigned to which caontainer and to which userid inside the running container/service. Inside the Container, you may become that user having a real username and a (different) uid.
-__**The only way to manage Volume- File- Permissions is to bash inside the running container itself and to change them there!**__
 ===== Packages NOT to install =====
-I had really a lot of troubles with the package in the AddOn- Repository: ''[[https://download.opensuse.org/repositories/Virtualization:/containers/${releasever}/|https://download.opensuse.org/repositories/Virtualization:/containers/${releasever}/]]'' while they are not installing docker the same way, that docker would do. For example they will not be installed in User-Subspace only, but will use systems Docker executables installed in global paths. This is a problem when using btrfs - as btrfs is not fully compatible with docker. So i won't use this any more.
+I had really a lot of troubles with the package Docker-Rootless in the AddOn- Repository: ''[[https://download.opensuse.org/repositories/Virtualization:/containers/${releasever}/|https://download.opensuse.org/repositories/Virtualization:/containers/${releasever}/]]'' while they are not installing docker the same way, that docker would do. For example they will not be installed in User-Subspace only, but will use systems Docker executables installed in global paths. This is a problem when using btrfs - as btrfs is not fully compatible with docker. So i won't use this any more.
 So i disabled the following packages and locked them to never install:
@@ Zeile 34: / Zeile 43: @@
 ===== Docker- User =====
-Create a new **group**  called **docker**  and a new **user**  called **docker**. Make the user have the **default group docker**.
+Create a new **group**  called **docker**  and a new **user**  called **docker**. Make the user is in the **default group docker**.
 Attention: The Home Directory should be on a volume having XFS as btrfs or others are not fully supported right now (20.04.2024 - patches in new Kernel 5.19 are incoming, but this Kernel is not released until now and still there are some problems open in developement there).
@@ Zeile 261: / Zeile 270: @@
  Product License: Community Engine
+</code>
+==== Additional knowledge ====
+  * Storage driver and FS-Type : overlay2 should always be used, btrfs is outdated! XFS and d_type are important!
+  * CGroup Version needs to be 2 or better
+  * If you see Docker complaining about Module aufs at start: do not care about - that module is obsolete
+===== IP-Filter =====
+When starting Docker, an the log says:
+<code>
+level=warning msg="Running modprobe bridge br_netfilter failed with message: modprobe: ERROR: could not insert 'br_netfilter': Operation not permitted\ninsmod /lib/modul>
+level=info msg="skipping firewalld management for rootless mode"
+</code>
+You first need to load the module with modprobe.
+For system startup, use ''/etc/modules-load.d''  and creat e a file ''docker-rootless.conf''  in it, containing that module.
+===== IPTables =====
+If you see ''docker info''  saying:
+<code>
 WARNING: bridge-nf-call-iptables is disabled
 WARNING: bridge-nf-call-ip6tables is disabled
@@ Zeile 266: / Zeile 302: @@
 </code>
-Important things:
+This should be fixed by:
-  * Storage driver and FS-Type : overlay2 should always be used, btrfs is outdated! XFS and d_type are important!
+<code>
-  * CGroup Version needs to be 2 or better
+# sudo echo "net.bridge.bridge-nf-call-iptables = 1">> /etc/sysctl.conf
+# sudo echo "net.bridge.bridge-nf-call-ip6tables = 1">> /etc/sysctl.conf
+# sudo modprobe br_netfilter
+# sudo sysctl --system
+</code>
 ===== Configuring Docker Daemon =====
@@ Zeile 277: / Zeile 318: @@
 ''~/.config/docker/daemon.json''
-**by default, the path and the file is not existent, create it within the docker user**.
+**by default, the path and the file is not existent, __create it new__  within the docker user**.
-For example, enable ipv6. See [[https://docs.docker.com/config/daemon/ipv6/|https://docs.docker.com/config/daemon/ipv6/]] for details.
+For example, enable IPv6. See [[https://docs.docker.com/config/daemon/ipv6/|https://docs.docker.com/config/daemon/ipv6/]] for details.
 <file>
 {
- "experimental": true,
  "ip6tables": true,
+ "ipv6": true,
+ "fixed-cidr-v6": "fd12:3456:789a:1::/64",
  "log-opts": {
    "max-size": "10m",
@@ Zeile 293: / Zeile 335: @@
 </file>
-Notice: Don't use ''userns-remap''  - this won't work and makes no sense in rootless.
+Notice: Don't use ''userns-remap''  - this won't work and makes no sense in rootless!
+Edit: "experimental": true has been removed for ipv6 with docker v27.
+You need to adjust cidr to some unique ULA. ULAs are non internet routable adresses (like 192.X.X.X in ipv4). Select an unique adress only for that internal Docker network - you can choose anything that is not assigned anywhere else on your network to not cause trouble.
+Maybe use this tool to generate: [[https://www.unique-local-ipv6.com|https://www.unique-local-ipv6.com]]
+===== Networking in Docker rootless =====
+If you read docs in the net about networking with Docker you may see docker0 as bridge network. While this network is also there in docker rootless, you will not find that network as interface on your host like you would on a rootful docker.
+Instead the network is encapsulated in the environement of rootlesskit and not visible to the host. From the Hosts view Docker is just another Application running on your Host talking to the internet like some app would do.
 ===== Install docker compose =====
-The command ''docker-compose'' has been obsoleted and been replaced by a plugin ''compose'' for docker (see [[https://docs.docker.com/compose/install/|https://docs.docker.com/compose/install/]]).
+**This Chapter may be obsolete as since docker v27 the compose plugin is part of installation script - check your output of ''docker info''  for the installed Plugins and if ''docker compose version''  already has a version. If so, skip this.**
+The command ''docker-compose''  has been obsoleted and been replaced by a plugin ''compose''  for docker (see [[https://docs.docker.com/compose/install/|https://docs.docker.com/compose/install/]]).
 Installing it the manual way:
-Edit the File ''~/.bashrc'' and add:
+Edit the File ''~/.bashrc''  and add:
 <code>
@@ Zeile 325: / Zeile 381: @@
 Your done with the compose plugin
+===== Update =====
+If you want to update your docker- installation, there is not update- process but to use the same script again:
+<file>
+#!/bin/bash
+#Upgrade docker rootless and plugin
+./docker_stop_all.sh
+sleep 5
+systemctl --user stop docker
+sleep 5
+#uninstall
+rm -f ~/bin/dockerd
+rm ~/.config/systemd/user/docker.service.bak
+mv ~/.config/systemd/user/docker.service ~/.config/systemd/user/docker.service.bak
+#reinstall docker compose
+COMPOSE_VER='2.32.4'
+rm $DOCKER_CONFIG/cli-plugins/docker-compose
+echo "Download Docker Compose Release ${COMPOSE_VER} - please check at https://github.com/docker/compose/releases for the newes Version and change this File"
+curl -SL https://github.com/docker/compose/releases/download/v${COMPOSE_VER}/docker-compose-linux-x86_64 -o $DOCKER_CONFIG/cli-plugins/docker-compose
+chmod +x $DOCKER_CONFIG/cli-plugins/docker-compose
+#install docker
+curl -fsSL https://get.docker.com/rootless | sh
+#need to give the new binary permissions to acces privileged network ports (beneath 1024)
+sudo setcap 'cap_net_bind_service=+ep' ~/bin/rootlesskit
+#this should be everything
+docker info
+</file>
@@ Zeile 331: / Zeile 417: @@
 Now, that you have compose, you can use it to setup your services with YAML- Files. Each service should have a directory for its own.
-Make a directory with ''mkdir ~/docker_compose'' and change to it.
+Make a directory with ''mkdir ~/docker_compose''  and change to it.
 ===== First Docker App: Portainer =====
@@ Zeile 337: / Zeile 424: @@
 As always, SSH into your docker- user and than create the folders and yml-files for docker compose and portainer.
 <code>
 obel1x@server:~> ssh localhost -l docker
 Password:
@@ Zeile 395: / Zeile 482: @@
 </code>
-Now you can go to http://localhost:9000 and pick a password to finish the setup of Portainer using the local Environment and enjoy the docker-party:
+Now you can go to [[http://localhost:9000|http://localhost:9000]] and pick a password to finish the setup of Portainer using the local Environment and enjoy the docker-party:
 {{  .:screenshot_20231221_101150.png?968x260  }}
 Thats all: Docker is running and serving your services, cheers!
+===== Fast Stop of all Containers =====
+This makes life easy ''docker_stop_all.sh'':
+<file>
+#!/bin/bash
+docker stop $(docker ps -a -q)
+docker rm $(docker ps -a -q)
+</file>