Run the Docker daemon as a non-root user (Rootless mode) | Docker Documentation
一、准备
假定,docker 运行账户为
testuser
[root@VM-1-8-centos ~]# useradd -u 1001 testuser
[root@VM-1-8-centos ~]# passwd testuser
注意:
因为下面要通过systemctl --user show-environment
获取信息,该命令的执行依赖于pam_systemd
。所以,下面需要以testuser账户远程登录,必须要设置密码或者密钥登录。
[testuser@VM-1-8-centos ~]$ whoami
testuser
[testuser@VM-1-8-centos ~]$ id -u
1001
[testuser@VM-1-8-centos ~]$ grep ^$(whoami): /etc/subuid
testuser:100000:65536
[testuser@VM-1-8-centos ~]$ grep ^$(whoami): /etc/subgid
testuser:100000:65536
rootless需要命令
newuidmap
和newgidmap
。 apt安装uidmap
,yum 安装shadow-utils
。
默认已经安装了,文件/etc/subuid
和/etc/subgid
默认也是创建好的。
以root
安装 fuse-overlayfs
和 iptables
yum install -y fuse-overlayfs
yum install -y iptables
modprobe ip_tables
以root
安装 docker
,暂不启动服务
yum install -y yum-utils
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install -y docker-ce docker-ce-cli containerd.io
默认会安装
docker-ce-rootless-extras
包,提供了dockerd-rootless-setuptool.sh
和dockerd-rootless.sh
两个命令
dockerd-rootless-setuptool.sh
用于安装 docker rootless
dockerd-rootless.sh
用于启动 rootless 后的 docker daemon
二、设置
必须以testuser
远程登录到服务器,使用pam_systemd
的方式登录到服务器。执行如下命令成功:
[root@VM-1-8-centos ~]# ssh testuser@localhost
[testuser@VM-1-8-centos ~]$ systemctl --user show-environment
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1001/bus
HOME=/home/testuser
LANG=en_US.utf8
LOGNAME=testuser
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
SHELL=/bin/bash
USER=testuser
XDG_RUNTIME_DIR=/run/user/1001
[testuser@VM-1-8-centos ~]$ dockerd-rootless-setuptool.sh check
[INFO] Requirements are satisfied
执行 dockerd-rootless-setuptool.sh install
[testuser@VM-1-8-centos ~]$ dockerd-rootless-setuptool.sh install
[INFO] Creating /home/testuser/.config/systemd/user/docker.service
[INFO] starting systemd service docker.service
+ systemctl --user start docker.service
+ sleep 3
+ systemctl --user --no-pager --full status docker.service
● docker.service - Docker Application Container Engine (Rootless)
Loaded: loaded (/home/testuser/.config/systemd/user/docker.service; disabled; vendor preset: enabled)
Active: active (running) since Thu 2022-11-03 16:02:48 CST; 3s ago
Docs: https://docs.docker.com/go/rootless/
Main PID: 11473 (rootlesskit)
CGroup: /user.slice/user-1001.slice/[email protected]/docker.service
├─11473 rootlesskit --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
├─11486 /proc/self/exe --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
├─11503 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp 11486 tap0
├─11510 dockerd
└─11527 containerd --config /run/user/1001/docker/containerd/containerd.toml --log-level info
...
...
+ systemctl --user enable docker.service
Created symlink /home/testuser/.config/systemd/user/default.target.wants/docker.service → /home/testuser/.config/systemd/user/docker.service.
[INFO] Installed docker.service successfully.
[INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service`
[INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger testuser`
[INFO] Creating CLI context "rootless"
Successfully created context "rootless"
[INFO] Use CLI context "rootless"
Current context is now "rootless"
[INFO] Make sure the following environment variables are set (or add them to ~/.bashrc):
export PATH=/usr/bin:$PATH
Some applications may require the following environment variable too:
export DOCKER_HOST=unix:///run/user/1001/docker.sock
检查运行用户
[testuser@VM-1-8-centos ~]$ ps axu |grep docker
testuser 11473 0.0 0.8 1170052 14620 ? Ssl 16:02 0:00 rootlesskit --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
testuser 11486 0.0 0.7 1158664 13964 ? Sl 16:02 0:00 /proc/self/exe --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
testuser 11510 0.1 3.9 1431956 69776 ? Sl 16:02 0:00 dockerd
testuser 11527 0.1 2.4 1279920 43240 ? Ssl 16:02 0:00 containerd --config /run/user/1001/docker/containerd/containerd.toml --log-level info
testuser 11866 0.0 0.0 12132 1100 pts/1 S+ 16:04 0:00 grep --color=auto docker
三、使用
1. Daemon
启动服务
systemctl --user status docker
systemctl --user start docker
Socket 默认存放于 $XDG_RUNTIME_DIR/docker.sock
。$XDG_RUNTIME_DIR
一般设置为/run/user/$UID
。
数据目录默认设置为 ~/.local/share/docker
。
daemon 配置目录默认设置为 ~/.config/docker
。
客户端配置目录默认设置为 ~/.docker
。
2. Client
[testuser@VM_201_16_centos ~]$ docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
22b70bddd3ac: Pull complete
Digest: sha256:6bdd92bf5240be1b5f3bf71324f5e371fe59f0e153b27fa1f1620f78ba16963c
Status: Downloaded newer image for busybox:latest
docker.io/library/busybox:latest
[testuser@VM_201_16_centos ~]$ docker run -d -p 8080:80 nginx
[testuser@VM_201_16_centos ~]$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3ba640ab9b83 nginx "/docker-entrypoint.…" 7 seconds ago Up 3 seconds 0.0.0.0:8080->80/tcp, :::8080->80/tcp confident_chaplygin