Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
content:serverbasics:docker [2023/12/21 07:38] – [Optional Docker- Directory] Daniel | content:serverbasics:docker [2024/05/18 11:11] (aktuell) – [Update] Daniel | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | ====== Docker ====== | + | ====== Docker |
Docker is a powerful solution for setting up Services. This on will give you hints how to setup Docker in a good way. | Docker is a powerful solution for setting up Services. This on will give you hints how to setup Docker in a good way. | ||
Currently i am Experimenting on that topic, so maybe this documentation will be ready to use, maybe not. | Currently i am Experimenting on that topic, so maybe this documentation will be ready to use, maybe not. | ||
- | |||
- | ===== Docker rootless ===== | ||
Docker itself is nice, but it will run as root per default, which is a no-go at all. This will setup Docker in rootless- mode on OpenSuSE (currently Leap 15.5). | Docker itself is nice, but it will run as root per default, which is a no-go at all. This will setup Docker in rootless- mode on OpenSuSE (currently Leap 15.5). | ||
- | ==== Package | + | ===== Filesystem Layout ===== |
- | While Docker-Rootless is not in the main Repositories, first add the AddOn- Repository: | + | Mind, that at the time writing, '' |
- | Then install the package | + | I personally dislike xfs, especially while its not rubust and won't shrink. I use it anyway, because of its srong advise to do so - with kernel 5.19+ it should be possible to get overlay2 working on btrfs, but still there are thinks that may not work even with that kernel. |
- | ==== User ==== | + | |
- | Create a new user and maybe give this user another home-directory, as it will store all files of docker. | + | So make sure, that the Home-Directory |
- | Let's say choose home ''/ | + | Warning: you may have umask set your way - i prefer 007 as writte before. But if you change umask and permissions be very cautious, as docker |
- | Also it may be a good choice, not to have this user added to " | + | __**STRONG WARNING: Don't change permissions or ownership of docker- directories on the Host directly as this will chage them in the container an break your Services !!!**__ |
+ | __**The only way to manage Volume- File- Permissions is to bash inside the running container itself and to change them there!**__ | ||
+ | ===== Packages NOT to install ===== | ||
- | ==== Install rootless | + | I had really a lot of troubles with the package in the AddOn- Repository: '' |
- | Warning: You CANNOT sudo to this user and install docker | + | So i disabled the following packages and locked them to never install: |
+ | |||
+ | * docker | ||
+ | * docker-compose | ||
+ | * containerd | ||
+ | |||
+ | Check out beneath for install the docker way. | ||
+ | |||
+ | ===== Docker- User ===== | ||
+ | |||
+ | Create a new **group** | ||
+ | |||
+ | Attention: The Home Directory should be on a volume having XFS as btrfs or others are not fully supported right now (20.04.2024 - patches in new Kernel 5.19 are incoming, but this Kernel is not released until now and still there are some problems open in developement there). | ||
+ | |||
+ | ===== cGroups v2 ===== | ||
+ | |||
+ | OpenSuSE Leap 15.5 does not have cGroups v2 enabled, which are needed by docker. | ||
+ | |||
+ | You may see a warning (later) when running '' | ||
+ | |||
+ | '' | ||
+ | |||
+ | According to this documentation [[https:// | ||
+ | |||
+ | '' | ||
+ | |||
+ | and also the delegation for the user of cpu is needed: | ||
+ | < | ||
+ | |||
+ | $ sudo mkdir -p / | ||
+ | $ cat <<EOF | sudo tee / | ||
+ | [Service] | ||
+ | Delegate=cpu cpuset io memory pids | ||
+ | EOF | ||
+ | $ sudo systemctl daemon-reload | ||
+ | |||
+ | </ | ||
+ | |||
+ | after this, reboot and check if ''/ | ||
+ | |||
+ | After installing docker (see beneath), check if '' | ||
+ | < | ||
+ | |||
+ | Cgroup Driver: systemd | ||
+ | Cgroup Version: 2 | ||
+ | |||
+ | </ | ||
+ | |||
+ | Than, its fine. | ||
+ | |||
+ | ===== Install rootless Docker ===== | ||
+ | |||
+ | Warning: You CANNOT sudo to the user and install docker, | ||
< | < | ||
Zeile 37: | Zeile 88: | ||
</ | </ | ||
- | I chose to ssh into my machine directly: | + | I chose to ssh into my machine directly, than check your umask to be secure and install docker like this: |
- | <file> | + | <code> |
- | #> ssh localhost -l docker | + | # ~> ssh localhost -l docker |
- | #> pwd | + | Password: |
- | / | + | Have a lot of fun... |
- | #> dockerd-rootless-setuptool.sh check | + | docker@pcserver2023: |
- | [INFO] Requirements are satisfied | + | 0007 |
- | #> dockerd-rootless-setuptool.sh install | + | docker@pcserver2023: |
- | [INFO] Creating /srv/docker-user/ | + | # Installing stable version 25.0.2 |
+ | # Executing docker rootless install script, commit: 3b2a83b | ||
+ | % Total % Received % Xferd Average Speed | ||
+ | | ||
+ | 100 68.2M 100 68.2M 0 | ||
+ | % Total % Received % Xferd Average Speed | ||
+ | | ||
+ | 100 19.7M 100 19.7M 0 | ||
+ | + PATH=/ | ||
+ | + / | ||
+ | [INFO] Creating /home/ | ||
[INFO] starting systemd service docker.service | [INFO] starting systemd service docker.service | ||
+ systemctl --user start docker.service | + systemctl --user start docker.service | ||
Zeile 54: | Zeile 115: | ||
+ systemctl --user --no-pager --full status docker.service | + systemctl --user --no-pager --full status docker.service | ||
● docker.service - Docker Application Container Engine (Rootless) | ● docker.service - Docker Application Container Engine (Rootless) | ||
- | | + | Loaded: loaded (/home/ |
- | Active: active (running) since Tue 2023-12-19 17:53:39 CET; 3s ago | + | |
- | Docs: https:// | + | |
- | Main PID: 6774 (rootlesskit) | + | |
- | CGroup: / | + | |
- | ├─ | + | |
- | p=auto --disable-host-loopback --port-driver=builtin --copy-up=/ | + | CPU: 224ms |
- | in/ | + | CGroup: / |
- | ├─ | + | |
- | comp=auto --disable-host-loopback --port-driver=builtin --copy-up=/ | + | |
- | r/ | + | |
- | ├─ | + | |
- | 85 tap0 | + | |
- | ├─ | + | |
- | └─ | + | |
+ DOCKER_HOST=unix:/// | + DOCKER_HOST=unix:/// | ||
- | + /usr/bin/docker version | + | + /home/docker/bin/docker version |
Client: | Client: | ||
- | Version: | + | Version: |
- | API version: | + | API version: |
- | Go version: | + | Go version: |
- | Git commit: | + | Git commit: |
- | Built: | + | |
- | OS/ | + | |
- | Context: | + | |
- | Server: | + | Server: |
- | Engine: | + | |
- | | + | Version: |
- | API version: | + | API version: |
- | Go version: | + | Go version: |
- | Git commit: | + | Git commit: |
- | | + | Built: |
- | | + | OS/ |
- | | + | Experimental: |
- | containerd: | + | |
- | | + | Version: |
- | | + | GitCommit: |
- | runc: | + | |
- | | + | Version: |
- | | + | GitCommit: |
- | docker-init: | + | |
- | | + | Version: |
- | | + | GitCommit: |
- | rootlesskit: | + | |
- | | + | Version: |
- | | + | ApiVersion: |
- | | + | NetworkDriver: |
- | | + | PortDriver: |
- | | + | StateDir: |
- | slirp4netns: | + | vpnkit: |
- | | + | Version: |
- | | + | |
+ systemctl --user enable docker.service | + systemctl --user enable docker.service | ||
- | Created symlink /srv/docker-user/ | + | Created symlink /home/ |
- | config/ | + | |
[INFO] Installed docker.service successfully. | [INFO] Installed docker.service successfully. | ||
[INFO] To control docker.service, | [INFO] To control docker.service, | ||
Zeile 120: | Zeile 177: | ||
[INFO] Make sure the following environment variable(s) are set (or add them to ~/.bashrc): | [INFO] Make sure the following environment variable(s) are set (or add them to ~/.bashrc): | ||
- | export PATH=/usr/bin:$PATH | + | export PATH=/home/docker/bin:$PATH |
[INFO] Some applications may require the following environment variable too: | [INFO] Some applications may require the following environment variable too: | ||
export DOCKER_HOST=unix:/// | export DOCKER_HOST=unix:/// | ||
- | </ | + | </code> |
+ | |||
+ | So, this looks very nice. **Important: | ||
+ | |||
+ | ===== Check Docker install ===== | ||
+ | |||
+ | Log out of docker user if you are still in from install. Then, log back in to apply the bashrc- settings. | ||
+ | |||
+ | Ceck the Environement to have the settings: | ||
+ | < | ||
+ | |||
+ | docker@pcserver2023: | ||
+ | Connection to localhost closed. | ||
+ | obel1x@pcserver2023: | ||
+ | Password: | ||
+ | Last login: Sat Apr 20 15:18:56 2024 from ::1 | ||
+ | Have a lot of fun... | ||
+ | docker@pcserver2023: | ||
+ | unix:/// | ||
+ | |||
+ | </ | ||
+ | |||
+ | Now check '' | ||
+ | |||
+ | < | ||
+ | docker@pcserver2023: | ||
+ | Client: | ||
+ | | ||
+ | | ||
+ | Debug Mode: false | ||
+ | |||
+ | Server: | ||
+ | | ||
+ | Running: 0 | ||
+ | Paused: 0 | ||
+ | Stopped: 0 | ||
+ | | ||
+ | | ||
+ | | ||
+ | Backing Filesystem: xfs | ||
+ | Supports d_type: true | ||
+ | Using metacopy: false | ||
+ | Native Overlay Diff: false | ||
+ | userxattr: true | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | Volume: local | ||
+ | Network: bridge host ipvlan macvlan null overlay | ||
+ | Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog | ||
+ | | ||
+ | | ||
+ | | ||
+ | Init Binary: docker-init | ||
+ | | ||
+ | runc version: v1.1.12-0-g51d5e94 | ||
+ | init version: de40ad0 | ||
+ | | ||
+ | seccomp | ||
+ | | ||
+ | rootless | ||
+ | cgroupns | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | CPUs: 8 | ||
+ | Total Memory: 30.79GiB | ||
+ | Name: pcserver2023 | ||
+ | ID: 45699224-ea9c-4865-8dea-a53bb20b788c | ||
+ | | ||
+ | Debug Mode: false | ||
+ | | ||
+ | | ||
+ | 127.0.0.0/ | ||
+ | Live Restore Enabled: false | ||
+ | | ||
+ | |||
+ | WARNING: bridge-nf-call-iptables is disabled | ||
+ | WARNING: bridge-nf-call-ip6tables is disabled | ||
+ | |||
+ | </code> | ||
+ | |||
+ | Important things: | ||
- | So, this looks nice. | + | * Storage driver and FS-Type : overlay2 should always be used, btrfs is outdated! XFS and d_type are important! |
+ | * CGroup Version needs to be 2 or better | ||
- | Mind, that now your volumes are under ''/ | + | ===== Configuring |
- | ==== Optional | + | |
in rootless-mode, | in rootless-mode, | ||
Zeile 136: | Zeile 277: | ||
'' | '' | ||
- | by default, the path and the file is not existent, | + | **by default, the path and the file is not existent, |
- | + | ||
- | For example us another directory für your data in that file: | + | |
+ | For example, enable IPv6. See [[https:// | ||
< | < | ||
+ | |||
{ | { | ||
- | " | + | " |
- | " | + | " |
- | " | + | " |
- | " | + | " |
" | " | ||
" | " | ||
Zeile 154: | Zeile 295: | ||
</ | </ | ||
- | Mind, that at the time writing | + | You need to adjust cidr to match your network, check first 4 blocks of '' |
+ | |||
+ | Notice: Don't use '' | ||
+ | |||
+ | ===== Install docker compose ===== | ||
+ | |||
+ | The command | ||
+ | |||
+ | Installing it the manual way: | ||
+ | |||
+ | Edit the File '' | ||
+ | < | ||
+ | |||
+ | export DOCKER_CONFIG=${DOCKER_CONFIG: | ||
+ | |||
+ | </ | ||
+ | |||
+ | Then relog to the docker user and do as the doc says to install and check you install: | ||
+ | |||
+ | < | ||
+ | docker@pcserver2023: | ||
+ | docker@pcserver2023: | ||
+ | % Total % Received % Xferd Average Speed | ||
+ | | ||
+ | 0 | ||
+ | 100 59.8M 100 59.8M 0 | ||
+ | docker@pcserver2023: | ||
+ | docker@pcserver2023: | ||
+ | Docker Compose version v2.26.1 | ||
+ | docker@pcserver2023: | ||
+ | |||
+ | </ | ||
+ | |||
+ | Your done with the compose plugin | ||
+ | |||
+ | ===== Update ===== | ||
+ | |||
+ | If you want to update your docker- installation, | ||
- | For checking which filesystem is in use, see '' | ||
< | < | ||
- | Storage Driver: overlay2 | + | #!/bin/bash |
- | Backing Filesystem: xfs | + | #Upgrade docker rootless and plugin |
- | Supports d_type: true | + | systemctl --user stop docker |
- | Using metacopy: false | + | rm -f ~/ |
- | Native Overlay Diff: false | + | curl -fsSL https:// |
- | userxattr: true | + | #need to give the new binary permissions to acces privileged network ports (beneath 1024) |
+ | sudo setcap ' | ||
+ | |||
+ | # If you installed docker compose, check the newest version first at https:// | ||
+ | curl -SL https:// | ||
</ | </ | ||
- | If you create a XFS-Filesystem with Leap 15.5 it will have '' | ||
+ | ===== Create a place for Yamls ===== | ||
- | === ... and the permissions of the files === | + | Now, that you have compose, you can use it to setup your services with YAML- Files. Each service should have a directory for its own. |
- | For me i would like the files only be read/writeable for user docker | + | Make a directory with '' |
+ | ===== First Docker App: Portainer ===== | ||
+ | |||
+ | Now - finally its time for our first running Container. As the Portainer- App is an important Management- Software in Docker for inexperienced users, let's run it in a safe userspaced way now. | ||
+ | |||
+ | As always, SSH into your docker- user and than create the folders and yml-files for docker compose and portainer. | ||
< | < | ||
- | #:/srv # chown docker | + | |
- | #:/srv # chgrp docker | + | obel1x@server:~> ssh localhost -l docker |
- | #:/srv # setfacl -m d:u::rwX -R docker | + | Password: |
- | #:/srv # setfacl -m d:g::rwX -R docker | + | docker@pcserver2023:~> cd ~/docker_compose |
- | #:/srv # setfacl -m d:o::--- -R docker | + | docker@pcserver2023:~/docker_compose> |
- | #:/srv # setfacl | + | docker@pcserver2023:~/docker_compose> |
- | #:/srv # setfacl -m u::rwX -R docker | + | docker@pcserver2023:~/docker_compose> |
- | #:/srv # setfacl -m g::rwX -R docker | + | docker@pcserver2023:~/docker_compose> |
</ | </ | ||
- | Unfortunatelly, | + | Put the following into that file: |
- | So if you would like to have your files really secured from other user, you can create the volume with an umask - e.g.: | + | < |
+ | services: | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | - 9000:9000 | ||
+ | - 9433:9433 | ||
+ | | ||
+ | - portainer_data:/ | ||
+ | - / | ||
- | '' | + | volumes: |
- | That would make all files in the Volume have the right permissions. | + | portainer_data: |
- | In Docker-Compose use this in your yml: | + | </ |
+ | |||
+ | Check, that the Socket- Path is the correct one. | ||
+ | |||
+ | Now start your app and look the magic: | ||
< | < | ||
- | my_volume: | + | docker@pcserver2023:~/ |
- | | + | [+] Running 12/12 |
- | | + | ✔ portainer Pulled |
+ | ✔ 379538b6d68e Pull complete | ||
+ | ✔ 4ea3e2c3a39b Pull complete | ||
+ | ✔ 5171176db7f2 Pull complete | ||
+ | ✔ 52e9438966a5 Pull complete | ||
+ | ✔ 43d4775415ac Pull complete | ||
+ | ✔ c1cad9f5200f Pull complete | ||
+ | ✔ 22eab514564f Pull complete | ||
+ | ✔ 962b9fa821a2 Pull complete | ||
+ | ✔ c153fefda5ce Pull complete | ||
+ | ✔ bed990c4615b Pull complete | ||
+ | ✔ 4f4fb700ef54 Pull complete | ||
+ | [+] Running 3/3 | ||
+ | ✔ Network portainer_default | ||
+ | ✔ Volume " | ||
+ | ✔ Container portainer-portainer-1 | ||
+ | docker@pcserver2023:~/ | ||
</ | </ | ||
+ | |||
+ | Now you can go to [[http:// | ||
+ | |||
+ | {{ .: | ||
+ | |||
+ | Thats all: Docker is running and serving your services, cheers! | ||