docker rootless - centos7（以非root账户运行docker daemon）

Run the Docker daemon as a non-root user (Rootless mode) | Docker Documentation

podman — Podman documentation

Rootless containers with Podman: The basics | Red Hat Developer

一、准备

假定，docker 运行账户为 testuser

id -u
1001
whoami
testuser
grep ^$(whoami): /etc/subuid
testuser:231072:65536
grep ^$(whoami): /etc/subgid
testuser:231072:65536

需要命令 newuidmap 和 newgidmap。 apt安装 uidmap，yum 安装 shadow-utils。
默认安装了，可以检查下。

Isolate containers with a user namespace | Docker Documentation
主机通过两个文件来管理命名空间的映射关系，/etc/subuid 和 /etc/subgid。通常会在添加、删除用户或组的时候自动配置管理，但是某些系统需要手动管理，比如 RHEL and CentOS 7.3。

创建文件 /etc/subuid 和 /etc/subgid ，如下

[testuser@VM_201_16_centos ~]$ sudo cat /etc/subuid 
testuser:231072:65536
[testuser@VM_201_16_centos ~]$ sudo cat /etc/subgid 
testuser:231072:65536

添加 user.max_user_namespaces=28633 到 /etc/sysctl.conf (or /etc/sysctl.d)
执行 sudo sysctl --system

systemctl --user does not work by default. Run dockerd-rootless.sh directly without systemd.

检查有没有安装 docker-ce-rootless-extras

[root@VM_201_16_centos ~]# rpm -ql docker-ce-rootless-extras 
/usr/bin/dockerd-rootless-setuptool.sh
/usr/bin/dockerd-rootless.sh
/usr/bin/rootlesskit
/usr/bin/rootlesskit-docker-proxy

二、设置

1. 默认已经安装了 shadow-utils，需要升级下，否则会报如下错误

[testuser@VM_201_16_centos ~]$ dockerd-rootless-setuptool.sh install
[ERROR] Missing system requirements. Run the following commands to
[ERROR] install the requirements and run this tool again.

########## BEGIN ##########
sudo sh -eux <

[testuser@VM_201_16_centos ~]$ rpm -qa |grep shadow
shadow-utils-4.1.5.1-24.el7.x86_64

sudo sh -eux <

[testuser@VM_201_16_centos ~]$ rpm -qa |grep shadow
shadow-utils-4.6-5.el7.x86_64

2. 安装
   执行 dockerd-rootless-setuptool.sh install

[testuser@VM_201_16_centos ~]$ dockerd-rootless-setuptool.sh check
[INFO] Requirements are satisfied

[testuser@VM_201_16_centos ~]$ dockerd-rootless-setuptool.sh install
[INFO] systemd not detected, dockerd-rootless.sh needs to be started manually:

PATH=/usr/bin:/sbin:/usr/sbin:$PATH dockerd-rootless.sh 

[INFO] Creating CLI context "rootless"
Successfully created context "rootless"
[INFO] Use CLI context "rootless"
Current context is now "rootless"

[INFO] Make sure the following environment variables are set (or add them to ~/.bashrc):

export PATH=/usr/bin:$PATH
Some applications may require the following environment variable too:
export DOCKER_HOST=unix:///run/user/1001/docker.sock

三、使用

1. Daemon

因为 centos7尚不支持 systemctl --user start docker 的方式启动，所以得手动启动服务（建议不要使用centos7版本，使用 systemctl --user启动方便很多 ）。

设置两个环境变量 $HOME 和 $XDG_RUNTIME_DIR （执行dockerd-rootless-setuptool.sh install后，默认配置好了。如果没有，需要手动设置下）。

[testuser@VM_201_16_centos ~]$ env  |grep "HOME\|XDG_RUNTIME_DIR"
HOME=/home/testuser
XDG_RUNTIME_DIR=/run/user/1001

以testuser账户启动服务

[testuser@VM_201_16_centos ~]$ dockerd-rootless.sh 
...
INFO[2022-11-03T11:19:44.004611186+08:00] Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address 
INFO[2022-11-03T11:19:44.038730513+08:00] Loading containers: done.                    
INFO[2022-11-03T11:19:44.045649238+08:00] Docker daemon                                 commit=3056208 graphdriver(s)=vfs version=20.10.21
INFO[2022-11-03T11:19:44.045756215+08:00] Daemon has completed initialization          
INFO[2022-11-03T11:19:44.072079133+08:00] API listen on /run/user/1001/docker.sock 

Socket 默认存放于 $XDG_RUNTIME_DIR/docker.sock。$XDG_RUNTIME_DIR 一般设置为/run/user/$UID。
数据目录默认设置为 ~/.local/share/docker。
daemon 配置目录默认设置为 ~/.config/docker。
客户端配置目录默认设置为 ~/.docker。

2. Client

[testuser@VM_201_16_centos ~]$ docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
22b70bddd3ac: Pull complete 
Digest: sha256:6bdd92bf5240be1b5f3bf71324f5e371fe59f0e153b27fa1f1620f78ba16963c
Status: Downloaded newer image for busybox:latest
docker.io/library/busybox:latest

[testuser@VM_201_16_centos ~]$ docker run -d -p 8080:80 nginx

[testuser@VM_201_16_centos ~]$ docker ps
CONTAINER ID   IMAGE     COMMAND                  CREATED         STATUS         PORTS                                   NAMES
3ba640ab9b83   nginx     "/docker-entrypoint.…"   7 seconds ago   Up 3 seconds   0.0.0.0:8080->80/tcp, :::8080->80/tcp   confident_chaplygin