docker rootless - centos stream 8（以非root账户运行docker daemon）

Run the Docker daemon as a non-root user (Rootless mode) | Docker Documentation

一、准备

假定，docker 运行账户为 testuser

[root@VM-1-8-centos ~]# useradd -u 1001 testuser
[root@VM-1-8-centos ~]# passwd testuser

注意：
因为下面要通过 systemctl --user show-environment 获取信息，该命令的执行依赖于 pam_systemd 。所以，下面需要以testuser账户远程登录，必须要设置密码或者密钥登录。

[testuser@VM-1-8-centos ~]$ whoami
testuser
[testuser@VM-1-8-centos ~]$ id -u
1001
[testuser@VM-1-8-centos ~]$ grep ^$(whoami): /etc/subuid
testuser:100000:65536
[testuser@VM-1-8-centos ~]$ grep ^$(whoami): /etc/subgid
testuser:100000:65536

rootless需要命令 newuidmap 和 newgidmap。 apt安装 uidmap，yum 安装 shadow-utils。
默认已经安装了，文件 /etc/subuid 和 /etc/subgid 默认也是创建好的。

以root安装 fuse-overlayfs 和 iptables

 yum install -y fuse-overlayfs
 yum install -y iptables
 modprobe ip_tables

以root安装 docker ，暂不启动服务

yum install -y yum-utils
yum-config-manager     --add-repo     https://download.docker.com/linux/centos/docker-ce.repo
yum install -y docker-ce docker-ce-cli containerd.io

默认会安装 docker-ce-rootless-extras 包，提供了 dockerd-rootless-setuptool.sh 和 dockerd-rootless.sh 两个命令
dockerd-rootless-setuptool.sh 用于安装 docker rootless
dockerd-rootless.sh 用于启动 rootless 后的 docker daemon

二、设置

必须以testuser远程登录到服务器，使用pam_systemd的方式登录到服务器。执行如下命令成功：

[root@VM-1-8-centos ~]# ssh testuser@localhost


[testuser@VM-1-8-centos ~]$ systemctl --user show-environment
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1001/bus
HOME=/home/testuser
LANG=en_US.utf8
LOGNAME=testuser
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
SHELL=/bin/bash
USER=testuser
XDG_RUNTIME_DIR=/run/user/1001

[testuser@VM-1-8-centos ~]$ dockerd-rootless-setuptool.sh check
[INFO] Requirements are satisfied

执行 dockerd-rootless-setuptool.sh install

[testuser@VM-1-8-centos ~]$ dockerd-rootless-setuptool.sh install
[INFO] Creating /home/testuser/.config/systemd/user/docker.service
[INFO] starting systemd service docker.service
+ systemctl --user start docker.service
+ sleep 3
+ systemctl --user --no-pager --full status docker.service
● docker.service - Docker Application Container Engine (Rootless)
   Loaded: loaded (/home/testuser/.config/systemd/user/docker.service; disabled; vendor preset: enabled)
   Active: active (running) since Thu 2022-11-03 16:02:48 CST; 3s ago
     Docs: https://docs.docker.com/go/rootless/
 Main PID: 11473 (rootlesskit)
   CGroup: /user.slice/user-1001.slice/[email protected]/docker.service
           ├─11473 rootlesskit --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
           ├─11486 /proc/self/exe --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
           ├─11503 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp 11486 tap0
           ├─11510 dockerd
           └─11527 containerd --config /run/user/1001/docker/containerd/containerd.toml --log-level info
...
...
+ systemctl --user enable docker.service
Created symlink /home/testuser/.config/systemd/user/default.target.wants/docker.service → /home/testuser/.config/systemd/user/docker.service.
[INFO] Installed docker.service successfully.
[INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service`
[INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger testuser`

[INFO] Creating CLI context "rootless"
Successfully created context "rootless"
[INFO] Use CLI context "rootless"
Current context is now "rootless"

[INFO] Make sure the following environment variables are set (or add them to ~/.bashrc):

export PATH=/usr/bin:$PATH
Some applications may require the following environment variable too:
export DOCKER_HOST=unix:///run/user/1001/docker.sock

检查运行用户

[testuser@VM-1-8-centos ~]$ ps axu |grep docker
testuser   11473  0.0  0.8 1170052 14620 ?       Ssl  16:02   0:00 rootlesskit --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
testuser   11486  0.0  0.7 1158664 13964 ?       Sl   16:02   0:00 /proc/self/exe --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
testuser   11510  0.1  3.9 1431956 69776 ?       Sl   16:02   0:00 dockerd
testuser   11527  0.1  2.4 1279920 43240 ?       Ssl  16:02   0:00 containerd --config /run/user/1001/docker/containerd/containerd.toml --log-level info
testuser   11866  0.0  0.0  12132  1100 pts/1    S+   16:04   0:00 grep --color=auto docker

三、使用

1. Daemon

启动服务

systemctl --user status docker
systemctl --user start docker

Socket 默认存放于 $XDG_RUNTIME_DIR/docker.sock。$XDG_RUNTIME_DIR 一般设置为/run/user/$UID。
数据目录默认设置为 ~/.local/share/docker。
daemon 配置目录默认设置为 ~/.config/docker。
客户端配置目录默认设置为 ~/.docker。

2. Client

[testuser@VM_201_16_centos ~]$ docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
22b70bddd3ac: Pull complete 
Digest: sha256:6bdd92bf5240be1b5f3bf71324f5e371fe59f0e153b27fa1f1620f78ba16963c
Status: Downloaded newer image for busybox:latest
docker.io/library/busybox:latest

[testuser@VM_201_16_centos ~]$ docker run -d -p 8080:80 nginx

[testuser@VM_201_16_centos ~]$ docker ps
CONTAINER ID   IMAGE     COMMAND                  CREATED         STATUS         PORTS                                   NAMES
3ba640ab9b83   nginx     "/docker-entrypoint.…"   7 seconds ago   Up 3 seconds   0.0.0.0:8080->80/tcp, :::8080->80/tcp   confident_chaplygin