Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
content:serverbasics:docker [2024/01/05 11:13] – [First Docker App: Portainer] Daniel | content:serverbasics:docker [2024/05/18 11:11] (aktuell) – [Update] Daniel | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | ====== Docker (rootless) ====== | + | ====== Docker (rootless) |
Docker is a powerful solution for setting up Services. This on will give you hints how to setup Docker in a good way. | Docker is a powerful solution for setting up Services. This on will give you hints how to setup Docker in a good way. | ||
Zeile 7: | Zeile 7: | ||
Docker itself is nice, but it will run as root per default, which is a no-go at all. This will setup Docker in rootless- mode on OpenSuSE (currently Leap 15.5). | Docker itself is nice, but it will run as root per default, which is a no-go at all. This will setup Docker in rootless- mode on OpenSuSE (currently Leap 15.5). | ||
- | ===== Package | + | ===== Filesystem Layout |
+ | |||
+ | Mind, that at the time writing, '' | ||
+ | |||
+ | I personally dislike xfs, especially while its not rubust and won't shrink. I use it anyway, because of its srong advise to do so - with kernel 5.19+ it should be possible to get overlay2 working on btrfs, but still there are thinks that may not work even with that kernel. | ||
+ | |||
+ | So make sure, that the Home-Directory of you docker user is on XFS. The ftype is already ok on SuSE 15.5, check output of '' | ||
+ | |||
+ | Warning: you may have umask set your way - i prefer 007 as writte before. But if you change umask and permissions be very cautious, as docker uses userid- mapping and may change the permissions and ownersets of files in its directory to the subuserid. That may change the ownership in a way, that even the docker user on the host cannot access the Files, which is OK ! | ||
+ | |||
+ | __**STRONG WARNING: Don't change permissions or ownership of docker- directories on the Host directly as this will chage them in the container an break your Services !!!**__ | ||
+ | |||
+ | __**The only way to manage Volume- File- Permissions is to bash inside the running container itself and to change them there!**__ | ||
+ | ===== Packages NOT to install ===== | ||
+ | |||
+ | I had really a lot of troubles with the package in the AddOn- Repository: '' | ||
- | While Docker-Rootless is not in the main Repositories, | + | So i disabled |
- | Then install the package '' | + | * docker |
+ | * docker-compose | ||
+ | * containerd | ||
+ | Check out beneath for install the docker way. | ||
- | ===== User ===== | + | ===== Docker- |
- | Create a new user and maybe give this user another home-directory, | + | Create a new **group** |
- | Let's say choose home ''/ | + | Attention: The Home Directory should be on a volume having XFS as btrfs or others are not fully supported right now (20.04.2024 |
- | Also it may be a good choice, not to have this user added to '' | ||
===== cGroups v2 ===== | ===== cGroups v2 ===== | ||
- | OpenSuSE Leap 15.5 does not seem to have cGroups v2 enabled. | + | OpenSuSE Leap 15.5 does not have cGroups v2 enabled, which are needed by docker. |
- | You may see a warnign | + | You may see a warning (later) |
'' | '' | ||
Zeile 45: | Zeile 62: | ||
</ | </ | ||
- | after this, reboot and check if ''/ | + | after this, reboot and check if ''/ |
+ | |||
+ | After installing docker (see beneath), check if '' | ||
< | < | ||
Zeile 52: | Zeile 71: | ||
</ | </ | ||
+ | |||
+ | Than, its fine. | ||
===== Install rootless Docker ===== | ===== Install rootless Docker ===== | ||
- | Warning: You CANNOT sudo to this user and install docker | + | Warning: You CANNOT sudo to the user and install docker, |
< | < | ||
Zeile 67: | Zeile 88: | ||
</ | </ | ||
- | I chose to ssh into my machine directly: | + | I chose to ssh into my machine directly, than check your umask to be secure and install docker like this: |
- | <file> | + | <code> |
- | #> ssh localhost -l docker | + | # ~> ssh localhost -l docker |
- | #> pwd | + | Password: |
- | / | + | Have a lot of fun... |
- | #> dockerd-rootless-setuptool.sh check | + | docker@pcserver2023: |
- | [INFO] Requirements are satisfied | + | 0007 |
- | #> dockerd-rootless-setuptool.sh install | + | docker@pcserver2023: |
- | [INFO] Creating /srv/docker-user/ | + | # Installing stable version 25.0.2 |
+ | # Executing docker rootless install script, commit: 3b2a83b | ||
+ | % Total % Received % Xferd Average Speed | ||
+ | | ||
+ | 100 68.2M 100 68.2M 0 | ||
+ | % Total % Received % Xferd Average Speed | ||
+ | | ||
+ | 100 19.7M 100 19.7M 0 | ||
+ | + PATH=/ | ||
+ | + / | ||
+ | [INFO] Creating /home/ | ||
[INFO] starting systemd service docker.service | [INFO] starting systemd service docker.service | ||
+ systemctl --user start docker.service | + systemctl --user start docker.service | ||
Zeile 84: | Zeile 115: | ||
+ systemctl --user --no-pager --full status docker.service | + systemctl --user --no-pager --full status docker.service | ||
● docker.service - Docker Application Container Engine (Rootless) | ● docker.service - Docker Application Container Engine (Rootless) | ||
- | | + | Loaded: loaded (/home/ |
- | Active: active (running) since Tue 2023-12-19 17:53:39 CET; 3s ago | + | |
- | Docs: https:// | + | |
- | Main PID: 6774 (rootlesskit) | + | |
- | CGroup: / | + | |
- | ├─ | + | |
- | p=auto --disable-host-loopback --port-driver=builtin --copy-up=/ | + | CPU: 224ms |
- | in/ | + | CGroup: / |
- | ├─ | + | |
- | comp=auto --disable-host-loopback --port-driver=builtin --copy-up=/ | + | |
- | r/ | + | |
- | ├─ | + | |
- | 85 tap0 | + | |
- | ├─ | + | |
- | └─ | + | |
+ DOCKER_HOST=unix:/// | + DOCKER_HOST=unix:/// | ||
- | + /usr/bin/docker version | + | + /home/docker/bin/docker version |
Client: | Client: | ||
- | Version: | + | Version: |
- | API version: | + | API version: |
- | Go version: | + | Go version: |
- | Git commit: | + | Git commit: |
- | Built: | + | |
- | OS/ | + | |
- | Context: | + | |
- | Server: | + | Server: |
- | Engine: | + | |
- | | + | Version: |
- | API version: | + | API version: |
- | Go version: | + | Go version: |
- | Git commit: | + | Git commit: |
- | | + | Built: |
- | | + | OS/ |
- | | + | Experimental: |
- | containerd: | + | |
- | | + | Version: |
- | | + | GitCommit: |
- | runc: | + | |
- | | + | Version: |
- | | + | GitCommit: |
- | docker-init: | + | |
- | | + | Version: |
- | | + | GitCommit: |
- | rootlesskit: | + | |
- | | + | Version: |
- | | + | ApiVersion: |
- | | + | NetworkDriver: |
- | | + | PortDriver: |
- | | + | StateDir: |
- | slirp4netns: | + | vpnkit: |
- | | + | Version: |
- | | + | |
+ systemctl --user enable docker.service | + systemctl --user enable docker.service | ||
- | Created symlink /srv/docker-user/ | + | Created symlink /home/ |
- | config/ | + | |
[INFO] Installed docker.service successfully. | [INFO] Installed docker.service successfully. | ||
[INFO] To control docker.service, | [INFO] To control docker.service, | ||
Zeile 150: | Zeile 177: | ||
[INFO] Make sure the following environment variable(s) are set (or add them to ~/.bashrc): | [INFO] Make sure the following environment variable(s) are set (or add them to ~/.bashrc): | ||
- | export PATH=/usr/bin:$PATH | + | export PATH=/home/docker/bin:$PATH |
[INFO] Some applications may require the following environment variable too: | [INFO] Some applications may require the following environment variable too: | ||
export DOCKER_HOST=unix:/// | export DOCKER_HOST=unix:/// | ||
- | </file> | + | </code> |
- | So, this looks nice. | + | So, this looks very nice. **Important: |
- | Mind, that now your volumes | + | ===== Check Docker install ===== |
- | ==== Optional | + | |
+ | Log out of docker user if you are still in from install. Then, log back in to apply the bashrc- settings. | ||
+ | |||
+ | Ceck the Environement to have the settings: | ||
+ | < | ||
+ | |||
+ | docker@pcserver2023: | ||
+ | Connection to localhost closed. | ||
+ | obel1x@pcserver2023: | ||
+ | Password: | ||
+ | Last login: Sat Apr 20 15:18:56 2024 from ::1 | ||
+ | Have a lot of fun... | ||
+ | docker@pcserver2023: | ||
+ | unix:/// | ||
+ | |||
+ | </ | ||
+ | |||
+ | Now check '' | ||
+ | |||
+ | < | ||
+ | docker@pcserver2023: | ||
+ | Client: | ||
+ | | ||
+ | | ||
+ | Debug Mode: false | ||
+ | |||
+ | Server: | ||
+ | | ||
+ | Running: 0 | ||
+ | Paused: 0 | ||
+ | Stopped: 0 | ||
+ | | ||
+ | | ||
+ | | ||
+ | Backing Filesystem: xfs | ||
+ | Supports d_type: true | ||
+ | Using metacopy: false | ||
+ | Native Overlay Diff: false | ||
+ | userxattr: true | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | Volume: local | ||
+ | Network: bridge host ipvlan macvlan null overlay | ||
+ | Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog | ||
+ | | ||
+ | | ||
+ | | ||
+ | Init Binary: docker-init | ||
+ | | ||
+ | runc version: v1.1.12-0-g51d5e94 | ||
+ | init version: de40ad0 | ||
+ | | ||
+ | seccomp | ||
+ | | ||
+ | rootless | ||
+ | cgroupns | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | CPUs: 8 | ||
+ | Total Memory: 30.79GiB | ||
+ | Name: pcserver2023 | ||
+ | ID: 45699224-ea9c-4865-8dea-a53bb20b788c | ||
+ | | ||
+ | Debug Mode: false | ||
+ | | ||
+ | | ||
+ | 127.0.0.0/8 | ||
+ | Live Restore Enabled: false | ||
+ | | ||
+ | |||
+ | WARNING: bridge-nf-call-iptables is disabled | ||
+ | WARNING: bridge-nf-call-ip6tables is disabled | ||
+ | |||
+ | </ | ||
+ | |||
+ | Important things: | ||
+ | |||
+ | * Storage driver and FS-Type : overlay2 should always be used, btrfs is outdated! XFS and d_type are important! | ||
+ | * CGroup Version needs to be 2 or better | ||
+ | |||
+ | ===== Configuring | ||
in rootless-mode, | in rootless-mode, | ||
Zeile 166: | Zeile 277: | ||
'' | '' | ||
- | by default, the path and the file is not existent, | + | **by default, the path and the file is not existent, |
- | For example | + | For example, enable IPv6. See [[https:// |
< | < | ||
{ | { | ||
- | " | ||
- | " | ||
" | " | ||
" | " | ||
- | " | + | " |
- | " | + | " |
" | " | ||
" | " | ||
Zeile 186: | Zeile 295: | ||
</ | </ | ||
- | Here, ipv6 support has been turned on. See [[https:// | + | You need to adjust cidr to match your network, check first 4 blocks of '' |
- | Notice: Don't use '' | + | Notice: Don't use '' |
- | ===== Filesystem Layout ===== | + | |
- | Mind, that at the time writing '' | + | ===== Install |
- | I personally dislike xfs, especially while its not rubust | + | The command '' |
- | For checking which filesystem is in use, see '' | + | Installing it the manual way: |
- | < | + | |
- | Storage Driver: overlay2 | + | Edit the File '' |
- | | + | |
- | | + | |
- | Using metacopy: false | + | |
- | | + | |
- | | + | |
- | + | ||
- | </file> | + | |
- | + | ||
- | If you create a XFS-Filesystem with Leap 15.5 it will have '' | + | |
- | + | ||
- | For me, i like btrfs a bit more than xfs, so i chose to have three different locations for docker on two filesystems (which are raided lvms. Check out the other docs here): | + | |
- | + | ||
- | < | + | |
- | #> mount | grep /srv | + | |
- | / | + | |
- | / | + | |
- | + | ||
- | </ | + | |
- | + | ||
- | and in /srv i have | + | |
- | < | + | |
- | + | ||
- | #> ls /srv/ | grep docker | + | |
- | docker #-> for storing docker-data using xfs | + | |
- | docker-compose #-> for my yaml-files | + | |
- | docker-user #-> this is the home of the docker user, containing the executables in user-space | + | |
- | + | ||
- | </ | + | |
- | + | ||
- | ==== ... and the permissions of the files ==== | + | |
- | + | ||
- | For me i would like the files only be read/ | + | |
< | < | ||
- | #:~ # cd /srv | + | export DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker} |
- | #:/srv # chown docker docker* | + | |
- | #:/srv # chgrp docker docker* -R | + | |
- | #:/srv # setfacl -m d:u::rwX -R docker* | + | |
- | #:/srv # setfacl -m d:g::rwX -R docker* | + | |
- | #:/srv # setfacl -m d:o::--- -R docker* | + | |
- | #:/srv # setfacl -m u::rwX -R docker* | + | |
- | #:/srv # setfacl -m g::rwX -R docker* | + | |
- | #:/srv # setfacl -m o::--- -R docker* | + | |
</ | </ | ||
- | That way, others do not have any access | + | Then relog to the docker |
- | + | ||
- | === Compatibility Mode === | + | |
- | + | ||
- | There are Dockers out there, that are not aware of rootless-modes. One example (date up to now) is phpmyadmin. It will create files in docker-start- script | + | |
- | + | ||
- | So you may change the default for others to be readable: | + | |
< | < | ||
- | #:~ # cd /srv | + | docker@pcserver2023:~> mkdir -p $DOCKER_CONFIG/cli-plugins |
- | #:/srv # setfacl | + | docker@pcserver2023:~> curl -SL https://github.com/docker/compose/ |
- | #:/srv # setfacl | + | % Total % Received % Xferd Average Speed |
- | #:/srv # setfacl | + | |
- | #:/srv # setfacl | + | 0 |
+ | 100 59.8M 100 59.8M 0 | ||
+ | docker@pcserver2023: | ||
+ | docker@pcserver2023: | ||
+ | Docker Compose version v2.26.1 | ||
+ | docker@pcserver2023: | ||
</ | </ | ||
- | The docker- daemon will create all files that are downloaded and created in a container as the facls are set if not forced to have other permissions by the docker-app itself. | + | Your done with the compose plugin |
- | === Volume- Permissions | + | ===== Update ===== |
- | Usually all the data- files are kept in Volumes. Unfortunatelly, docker does not care about linux acls and user permissions in Volumes | + | If you want to update your docker- installation, there is not update- process but to use the same script again: |
- | So if you would like to have your files really secured from other user, you can create the volume with an umask - e.g.: | + | < |
+ | # | ||
+ | #Upgrade docker rootless and plugin | ||
+ | systemctl --user stop docker | ||
+ | rm -f ~/ | ||
+ | curl -fsSL https://get.docker.com/ | ||
+ | #need to give the new binary permissions to acces privileged network ports (beneath 1024) | ||
+ | sudo setcap ' | ||
- | '' | + | # If you installed |
- | That would make all files in the Volume have the right permissions. | + | curl -SL https:// |
- | In Docker-Compose use this in your yml: | + | </ |
- | < | ||
- | volumes: | ||
- | volumename: | ||
- | driver_opts: | ||
- | device: "" | ||
- | type: "" | ||
- | o: " | ||
- | </ | + | ===== Create a place for Yamls ===== |
- | Device and type need to be there, but can be empty to use default values. | + | Now, that you have compose, you can use it to setup your services with YAML- Files. Each service should have a directory for its own. |
+ | |||
+ | Make a directory with '' | ||
===== First Docker App: Portainer ===== | ===== First Docker App: Portainer ===== | ||
- | Now - finally its time for our first running Container. As the Portainer- App is the most important Management- Software in Docker, let's run it in a safe userspaced way now. | + | Now - finally its time for our first running Container. As the Portainer- App is an important Management- Software in Docker |
- | As always, SSH into your docker- user and than create the folders and yml-files for portainer. | + | As always, SSH into your docker- user and than create the folders and yml-files for docker compose and portainer. |
+ | < | ||
- | < | ||
obel1x@server: | obel1x@server: | ||
- | |||
Password: | Password: | ||
- | docker@server:~> cd /srv/ | + | docker@pcserver2023:~> cd ~/docker_compose |
- | docker@server:~> mkdir portainer | + | docker@pcserver2023:~/ |
- | docker@server:/srv/ | + | docker@pcserver2023:~/docker_compose> cd portainer |
- | docker@server:/srv/docker-compose/ | + | docker@pcserver2023:~/docker_compose> |
- | # file: . | + | docker@pcserver2023:~/docker_compose> |
- | # owner: docker | + | |
- | # group: docker | + | |
- | user::rwx | + | |
- | group:: | + | |
- | other:: | + | |
- | default: | + | |
- | default: | + | |
- | default: | + | |
- | + | ||
- | docker@server:/srv/ | + | |
</ | </ | ||
- | put the following into that file: | + | Put the following into that file: |
< | < | ||
- | version: " | ||
services: | services: | ||
| | ||
Zeile 332: | Zeile 388: | ||
volumes: | volumes: | ||
| | ||
- | | ||
- | | ||
- | type: "" | ||
- | o: " | ||
</ | </ | ||
- | now start your app: | + | Check, that the Socket- Path is the correct one. |
- | < | + | Now start your app and look the magic: |
- | docker@server: | + | |
- | [...] | + | |
- | ⠿ Container portainer-portainer-1 | + | |
- | + | ||
- | </ | + | |
- | + | ||
- | Check the volume has been created at the right location | + | |
< | < | ||
- | docker@server:~> docker | + | docker@pcserver2023:~/ |
- | [ | + | [+] Running 12/12 |
- | { | + | ✔ portainer Pulled |
- | " | + | ✔ 379538b6d68e Pull complete |
- | " | + | ✔ 4ea3e2c3a39b Pull complete |
- | " | + | ✔ 5171176db7f2 Pull complete |
- | "com.docker.compose.project": | + | ✔ 52e9438966a5 Pull complete |
- | "com.docker.compose.version": | + | ✔ 43d4775415ac Pull complete |
- | "com.docker.compose.volume": | + | ✔ c1cad9f5200f Pull complete |
- | }, | + | ✔ 22eab514564f Pull complete |
- | " | + | ✔ 962b9fa821a2 Pull complete |
- | " | + | ✔ c153fefda5ce Pull complete |
- | " | + | ✔ bed990c4615b Pull complete |
- | " | + | ✔ 4f4fb700ef54 Pull complete |
- | **" | + | [+] Running 3/3 |
- | " | + | ✔ Network portainer_default |
- | }, | + | ✔ Volume |
- | " | + | ✔ Container portainer-portainer-1 |
- | } | + | docker@pcserver2023:~/ |
- | ] | + | |
</ | </ | ||
- | and finally if the files have been created only readable by the user: | + | Now you can go to [[http:// |
- | + | ||
- | < | + | |
- | ls / | + | |
- | -rw——- 1 docker docker 77 21. Dez 09:37 / | + | |
- | + | ||
- | / | + | |
- | insgesamt 40 | + | |
- | drwx——+ 2 docker docker 6 21. Dez 09:37 bin | + | |
- | drwx——+ 2 docker docker 37 21. Dez 09:37 certs | + | |
- | drwx——+ 2 docker docker 29 21. Dez 09:37 chisel | + | |
- | drwx——+ 2 docker docker 6 21. Dez 09:37 compose | + | |
- | drwx——+ 2 docker docker 25 21. Dez 09:37 docker_config | + | |
- | -rw——- 1 docker docker 65536 21. Dez 09:37 portainer.db | + | |
- | -rw——- 1 docker docker 227 21. Dez 09:37 portainer.key | + | |
- | -rw——- 1 docker docker 190 21. Dez 09:37 portainer.pub | + | |
- | drwx——+ 2 docker docker 6 21. Dez 09:37 tls | + | |
- | + | ||
- | / | + | |
- | insgesamt 0 | + | |
- | + | ||
- | / | + | |
- | insgesamt 8 | + | |
- | -rw——- 1 docker docker 518 21. Dez 09:37 cert.pem | + | |
- | -rw——- 1 docker docker 227 21. Dez 09:37 key.pem | + | |
- | + | ||
- | / | + | |
- | insgesamt 4 | + | |
- | -rw——- 1 docker docker 227 21. Dez 09:37 private-key.pem | + | |
- | + | ||
- | / | + | |
- | insgesamt 0 | + | |
- | + | ||
- | / | + | |
- | insgesamt 4 | + | |
- | -rw-r—– 1 docker docker 389 21. Dez 09:37 config.json | + | |
- | + | ||
- | / | + | |
- | insgesamt 0 | + | |
- | + | ||
- | </ | + | |
- | + | ||
- | this is amazing, right ;) ? | + | |
- | + | ||
- | Now you can go to [[http:// | + | |
{{ .: | {{ .: | ||
- | Thats all here, cheers! | + | Thats all: Docker is running and serving your services, cheers! |