Closed11
Ubuntu に新規に Rootless Docker をインストールする
holliy環境: Ubuntu 24.04 (WSL)
主に公式のガイドを見ながら進める
holliyDistribution-specific hint の通りに uidmap パッケージをインストールする (dbus-user-session パッケージはデフォルトでインストールされている)
$ sudo apt install uidmap
rootlesskit の AppArmor プロファイルを追加する必要があるので以下の手順で追加する
$ filename=$(echo $HOME/bin/rootlesskit | sed -e s@^/@@ -e s@/@.@g)
$ cat <<EOF > ~/${filename}
abi <abi/4.0>,
include <tunables/global>
"$HOME/bin/rootlesskit" flags=(unconfined) {
userns,
include if exists <local/${filename}>
}
EOF
$ sudo mv ~/${filename} /etc/apparmor.d/${filename}
$ sudo systemctl restart apparmor.service
セットアップ用スクリプトが含まれる docker-ce-rootless-extras パッケージをインストールする必要があるが、このパッケージは Docker リポジトリにあるので先に Docker Engine のリポジトリ設定 を行なってからインストールする
# リポジトリの GPG キーをダウンロード
$ sudo install -m 0755 -d /etc/apt/keyrings
$ sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
$ sudo chmod a+r /etc/apt/keyrings/docker.asc
# リポジトリを APT ソースに追加
$ echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# docker-ce-rootless-extras パッケージをインストール
$ sudo apt install -U docker-ce-rootless-extras
dockerd-rootless-setuptool.sh install を実行して非 root ユーザ用のデーモンのセットアップを行う
いくつか必要なパッケージや手順が表示されるのでその都度対応する
$ dockerd-rootless-setuptool.sh install
[ERROR] Missing system requirements. Run the following commands to
[ERROR] install the requirements and run this tool again.
[ERROR] Alternatively iptables checks can be disabled with --skip-iptables .
########## BEGIN ##########
sudo sh -eux <<EOF
# Install iptables
apt-get install -y iptables
EOF
########## END ##########
$ sudo apt install iptables
$ dockerd-rootless-setuptool.sh install
[INFO] Creating /home/holliy/.config/systemd/user/docker.service
[INFO] starting systemd service docker.service
+ systemctl --user start docker.service
Job for docker.service failed because the control process exited with error code.
See "systemctl --user status docker.service" and "journalctl --user -xeu docker.service" for details.
+ set +x
[ERROR] Failed to start docker.service. Run `journalctl -n 20 --no-pager --user --unit docker.service` to show the error log.
[ERROR] Before retrying installation, you might need to uninstall the current setup: `/usr/bin/dockerd-rootless-setuptool.sh uninstall -f ; /usr/bin/rootlesskit rm -rf /home/holliy/.local/share/docker`
$ journalctl -n 20 --no-pager --user --unit docker.service
8月 04 23:07:39 wsl dockerd-rootless.sh[6958]: + [ -n ]
8月 04 23:07:39 wsl dockerd-rootless.sh[6965]: + stat -c %T -f /etc
8月 04 23:07:39 wsl dockerd-rootless.sh[6958]: + [ tmpfs = tmpfs ]
8月 04 23:07:39 wsl dockerd-rootless.sh[6958]: + [ -L /etc/ssl ]
8月 04 23:07:39 wsl dockerd-rootless.sh[6966]: + realpath /etc/ssl
8月 04 23:07:39 wsl dockerd-rootless.sh[6958]: + realpath_etc_ssl=/etc/.ro3507928474/ssl
8月 04 23:07:39 wsl dockerd-rootless.sh[6958]: + rm -f /etc/ssl
8月 04 23:07:39 wsl dockerd-rootless.sh[6958]: + mkdir /etc/ssl
8月 04 23:07:39 wsl dockerd-rootless.sh[6958]: + mount --rbind /etc/.ro3507928474/ssl /etc/ssl
8月 04 23:07:39 wsl dockerd-rootless.sh[6958]: + exec dockerd
8月 04 23:07:39 wsl dockerd-rootless.sh[6958]: /usr/bin/dockerd-rootless.sh: 162: exec: dockerd: not found
8月 04 23:07:39 wsl dockerd-rootless.sh[6929]: [rootlesskit:child ] error: command [/usr/bin/dockerd-rootless.sh] exited: exit status 127
8月 04 23:07:39 wsl dockerd-rootless.sh[6918]: [rootlesskit:parent] error: child exited: exit status 127
8月 04 23:07:39 wsl systemd[357]: docker.service: Main process exited, code=exited, status=127/n/a
8月 04 23:07:39 wsl systemd[357]: docker.service: Failed with result 'exit-code'.
8月 04 23:07:39 wsl systemd[357]: Failed to start docker.service - Docker Application Container Engine (Rootless).
8月 04 23:07:41 wsl systemd[357]: docker.service: Scheduled restart job, restart counter is at 3.
8月 04 23:07:41 wsl systemd[357]: docker.service: Start request repeated too quickly.
8月 04 23:07:41 wsl systemd[357]: docker.service: Failed with result 'exit-code'.
8月 04 23:07:41 wsl systemd[357]: Failed to start docker.service - Docker Application Container Engine (Rootless).
上記のエラー内容は Docker デーモンが存在しないことによるエラーなので別途インストールする必要がある
$ apt-file search bin/dockerd
docker-ce: /usr/bin/dockerd
docker-ce-rootless-extras: /usr/bin/dockerd-rootless-setuptool.sh
docker-ce-rootless-extras: /usr/bin/dockerd-rootless.sh
docker.io: /usr/bin/dockerd
docker-ce と docker.io の違いは以下のページによると docker-ce の方が最新に追従しているので docker-ce パッケージをインストールする
docker-ce と docker.io のパッケージ詳細
メンテナが Docker と Ubuntu Developers で異なる
$ apt show docker-ce docker.io
Package: docker-ce
Version: 5:27.1.1-1~ubuntu.24.04~noble
Priority: optional
Section: admin
Maintainer: Docker <support@docker.com>
Installed-Size: 109 MB
Depends: containerd.io (>= 1.6.24), docker-ce-cli, iptables, libseccomp2 (>= 2.3.0), libc6 (>= 2.34), libsystemd0
Recommends: apparmor, ca-certificates, docker-ce-rootless-extras, git, libltdl7, pigz, procps, xz-utils
Suggests: aufs-tools, cgroupfs-mount | cgroup-lite
Conflicts: docker (<< 1.5~), docker-engine, docker.io
Replaces: docker-engine
Homepage: https://www.docker.com
Download-Size: 25.3 MB
APT-Sources: https://download.docker.com/linux/ubuntu noble/stable amd64 Packages
Description: Docker: the open-source application container engine
Docker is a product for you to build, ship and run any application as a
lightweight container
.
Docker containers are both hardware-agnostic and platform-agnostic. This means
they can run anywhere, from your laptop to the largest cloud compute instance and
everything in between - and they don't require you to use a particular
language, framework or packaging system. That makes them great building blocks
for deploying and scaling web apps, databases, and backend services without
depending on a particular stack or provider.
Package: docker.io
Version: 24.0.7-0ubuntu4
Built-Using: glibc (= 2.39-0ubuntu8), golang-1.22 (= 1.22.2-2)
Priority: optional
Section: universe/admin
Source: docker.io-app
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 109 MB
Depends: adduser, containerd (>= 1.2.6-0ubuntu1~), iptables, debconf (>= 0.5) | debconf-2.0, libc6 (>= 2.34), libdevmapper1.02.1 (>= 2:1.02.97), libsystemd0 (>= 209~)
Recommends: ca-certificates, git, pigz, ubuntu-fan, xz-utils, apparmor
Suggests: aufs-tools, btrfs-progs, cgroupfs-mount | cgroup-lite, debootstrap, docker-buildx, docker-compose-v2, docker-doc, rinse, zfs-fuse | zfsutils
Homepage: https://mobyproject.org/
Download-Size: 29.1 MB
APT-Sources: http://ftp.udx.icscoe.jp/Linux/ubuntu noble/universe amd64 Packages
Description: Linux container runtime
Docker complements kernel namespacing with a high-level API which operates at
the process level. It runs unix processes with strong guarantees of isolation
and repeatability across servers.
.
Docker is a great building block for automating distributed systems:
large-scale web deployments, database clusters, continuous deployment systems,
private PaaS, service-oriented architectures, etc.
N: 追加レコードが 12 件あります。表示するには '-a' スイッチを付けてください。
$ sudo apt install docker-ce
docker-ce パッケージをインストールするとシステムの Docker デーモンが有効になるため無効にする
$ sudo systemctl disable --now docker.service docker.socket
$ sudo rm /var/run/docker.sock
$ sudo systemctl status docker.service docker.socket
○ docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; preset: enabled)
Active: inactive (dead)
TriggeredBy: ○ docker.socket
Docs: https://docs.docker.com
8月 04 23:24:54 wsl dockerd[7599]: time="2024-08-04T23:24:54.141463693+09:00" level=info msg="Docker daemon" commi>
8月 04 23:24:54 wsl dockerd[7599]: time="2024-08-04T23:24:54.141883201+09:00" level=info msg="Daemon has completed>
8月 04 23:24:54 wsl dockerd[7599]: time="2024-08-04T23:24:54.278779166+09:00" level=info msg="API listen on /run/d>
8月 04 23:24:54 wsl systemd[1]: Started docker.service - Docker Application Container Engine.
8月 04 23:28:38 wsl systemd[1]: Stopping docker.service - Docker Application Container Engine...
8月 04 23:28:38 wsl dockerd[7599]: time="2024-08-04T23:28:38.190014885+09:00" level=info msg="Processing signal 't>
8月 04 23:28:38 wsl dockerd[7599]: time="2024-08-04T23:28:38.192612876+09:00" level=info msg="stopping event strea>
8月 04 23:28:38 wsl dockerd[7599]: time="2024-08-04T23:28:38.194945142+09:00" level=info msg="Daemon shutdown comp>
8月 04 23:28:38 wsl systemd[1]: docker.service: Deactivated successfully.
8月 04 23:28:38 wsl systemd[1]: Stopped docker.service - Docker Application Container Engine.
○ docker.socket - Docker Socket for the API
Loaded: loaded (/usr/lib/systemd/system/docker.socket; disabled; preset: enabled)
Active: inactive (dead)
Triggers: ● docker.service
Listen: /run/docker.sock (Stream)
8月 04 23:24:53 wsl systemd[1]: Starting docker.socket - Docker Socket for the API...
8月 04 23:24:53 wsl systemd[1]: Listening on docker.socket - Docker Socket for the API.
8月 04 23:28:38 wsl systemd[1]: docker.socket: Deactivated successfully.
8月 04 23:28:38 wsl systemd[1]: Closed docker.socket - Docker Socket for the API.
dockerd-rootless-setuptool.sh install でのセットアップを続ける前に、前回のエラー出力によると一度アンインストールした方が良さそうのでアンインストール後に続行する
Before retrying installation, you might need to uninstall the current setup:
/usr/bin/dockerd-rootless-setuptool.sh uninstall -f ; /usr/bin/rootlesskit rm -rf /home/holliy/.local/share/docker
$ /usr/bin/dockerd-rootless-setuptool.sh uninstall -f ; /usr/bin/rootlesskit rm -rf $HOME/.local/share/docker
+ systemctl --user stop docker.service
+ systemctl --user disable docker.service
[INFO] Uninstalled docker.service
Current context is now "default"
[INFO] Configured CLI to use the "default" context.
[INFO]
[INFO] Make sure to unset or update the environment PATH, DOCKER_HOST, and DOCKER_CONTEXT environment variables if you have added them
to `~/.bashrc`.
[INFO] This uninstallation tool does NOT remove Docker binaries and data.
[INFO] To remove data, run: `/usr/bin/rootlesskit rm -rf /home/holliy/.local/share/docker`
$ dockerd-rootless-setuptool.sh install
[INFO] Creating /home/holliy/.config/systemd/user/docker.service
[INFO] starting systemd service docker.service
+ systemctl --user start docker.service
+ sleep 3
+ systemctl --user --no-pager --full status docker.service
● docker.service - Docker Application Container Engine (Rootless)
Loaded: loaded (/home/holliy/.config/systemd/user/docker.service; disabled; preset: enabled)
Active: active (running) since Sun 2024-08-04 23:40:27 JST; 3s ago
Docs: https://docs.docker.com/go/rootless/
Main PID: 6789 (rootlesskit)
Tasks: 51
Memory: 60.7M ()
CPU: 402ms
CGroup: /user.slice/user-1002.slice/user@1002.service/app.slice/docker.service
├─6789 rootlesskit --state-dir=/run/user/1002/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
├─6800 /proc/self/exe --state-dir=/run/user/1002/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
├─6822 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp 6800 tap0
├─6829 dockerd
└─6852 containerd --config /run/user/1002/docker/containerd/containerd.toml
8月 04 23:40:27 wsl dockerd-rootless.sh[6829]: time="2024-08-04T23:40:27.861595356+09:00" level=warning msg="WARNING: No io.weight support"
8月 04 23:40:27 wsl dockerd-rootless.sh[6829]: time="2024-08-04T23:40:27.861603033+09:00" level=warning msg="WARNING: No io.weight (per device) support"
8月 04 23:40:27 wsl dockerd-rootless.sh[6829]: time="2024-08-04T23:40:27.861607968+09:00" level=warning msg="WARNING: No io.max (rbps) support"
8月 04 23:40:27 wsl dockerd-rootless.sh[6829]: time="2024-08-04T23:40:27.861611806+09:00" level=warning msg="WARNING: No io.max (wbps) support"
8月 04 23:40:27 wsl dockerd-rootless.sh[6829]: time="2024-08-04T23:40:27.861615535+09:00" level=warning msg="WARNING: No io.max (riops) support"
8月 04 23:40:27 wsl dockerd-rootless.sh[6829]: time="2024-08-04T23:40:27.861620032+09:00" level=warning msg="WARNING: No io.max (wiops) support"
8月 04 23:40:27 wsl dockerd-rootless.sh[6829]: time="2024-08-04T23:40:27.861640321+09:00" level=info msg="Docker daemon" commit=cc13f95 containerd-snapshotter=false storage-driver=overlay2 version=27.1.1
8月 04 23:40:27 wsl dockerd-rootless.sh[6829]: time="2024-08-04T23:40:27.861897936+09:00" level=info msg="Daemon has completed initialization"
8月 04 23:40:27 wsl dockerd-rootless.sh[6829]: time="2024-08-04T23:40:27.971857368+09:00" level=info msg="API listen on /run/user/1002/docker.sock"
8月 04 23:40:27 wsl systemd[368]: Started docker.service - Docker Application Container Engine (Rootless).
+ DOCKER_HOST=unix:///run/user/1002//docker.sock /usr/bin/docker version
Client: Docker Engine - Community
Version: 27.1.1
API version: 1.46
Go version: go1.21.12
Git commit: 6312585
Built: Tue Jul 23 19:57:14 2024
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 27.1.1
API version: 1.46 (minimum version 1.24)
Go version: go1.21.12
Git commit: cc13f95
Built: Tue Jul 23 19:57:14 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.7.19
GitCommit: 2bf793ef6dc9a18e00cb12efb64355c2c9d5eb41
runc:
Version: 1.7.19
GitCommit: v1.1.13-0-g58aa920
docker-init:
Version: 0.19.0
GitCommit: de40ad0
rootlesskit:
Version: 2.0.2
ApiVersion: 1.1.1
NetworkDriver: slirp4netns
PortDriver: builtin
StateDir: /run/user/1002/dockerd-rootless
slirp4netns:
Version: 1.2.1
GitCommit: 09e31e92fa3d2a1d3ca261adaeb012c8d75a8194
+ systemctl --user enable docker.service
Created symlink /home/holliy/.config/systemd/user/default.target.wants/docker.service → /home/holliy/.config/systemd/user/docker.service.
[INFO] Installed docker.service successfully.
[INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service`
[INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger holliy`
[INFO] Creating CLI context "rootless"
Successfully created context "rootless"
[INFO] Using CLI context "rootless"
Current context is now "rootless"
[INFO] Make sure the following environment variable(s) are set (or add them to ~/.bashrc):
export PATH=/usr/bin:$PATH
[INFO] Some applications may require the following environment variable too:
export DOCKER_HOST=unix:///run/user/1002//docker.sock
hello-world イメージのコンテナを実行して Docker が正常に動作するか確認する
$ docker run --rm hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
c1ec31eb5944: Pull complete
Digest: sha256:1408fec50309afee38f3535383f5b09419e6dc0925bc69891e79d84cc4cdcec6
Status: Downloaded newer image for hello-world:latest
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/
For more examples and ideas, visit:
https://docs.docker.com/get-started/
docker info 実行時の出力の最後に以下の警告が表示されるのを対処する
WARNING: No cpuset support
WARNING: No io.weight support
WARNING: No io.weight (per device) support
WARNING: No io.max (rbps) support
WARNING: No io.max (wbps) support
WARNING: No io.max (riops) support
WARNING: No io.max (wiops) support
Limiting resources の内容を参考に以下を実行して cpuset と io コントローラを非 root ユーザに委任できるように設定する
$ sudo mkdir -p /etc/systemd/system/user@.service.d
$ cat << EOF | sudo tee /etc/systemd/system/user@.service.d/delegate.conf
> [Service]
Delegate=cpu cpuset io memory pids
EOF
$ sudo systemctl daemon-reload
$ systemctl --user restart docker
最終的に docker info の出力は以下になる
Client: Docker Engine - Community
Version: 27.1.1
Context: rootless
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.16.1
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.29.1
Path: /usr/libexec/docker/cli-plugins/docker-compose
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 1
Server Version: 27.1.1
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: true
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 2bf793ef6dc9a18e00cb12efb64355c2c9d5eb41
runc version: v1.1.13-0-g58aa920
init version: de40ad0
Security Options:
seccomp
Profile: builtin
rootless
cgroupns
Kernel Version: 5.15.153.1-microsoft-standard-WSL2
Operating System: Ubuntu 24.04 LTS
OSType: linux
Architecture: x86_64
CPUs: 12
Total Memory: 3.827GiB
Name: wsl
ID: 5e18a63c-54c1-4b8d-923e-188cd59fcbf1
Docker Root Dir: /home/holliy/.local/share/docker
Debug Mode: false
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
追加の機能確認として、nginx コンテナを実行してページを見れるか確認する
nginx イメージのデフォルトで開放されるポートは80番だが、Rootless Docker では通常1024以下の番号のポート (特権ポート) は開放できないので別のポートにマッピングして実行する
$ docker run --rm -p 8080:80 nginx
標準出力に実行ログが流れるので別の端末を起動して疎通確認
$ curl -i localhost:8080
HTTP/1.1 200 OK
Server: nginx/1.27.0
Date: Sun, 04 Aug 2024 15:45:29 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 28 May 2024 13:22:30 GMT
Connection: keep-alive
ETag: "6655da96-267"
Accept-Ranges: bytes
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
このスクラップは4ヶ月前にクローズされました