iTranslated by AI

The content below is an AI-generated translation. This is an experimental feature, and may contain errors. View original article
🐈

AWS: Installing Rootless Docker on Amazon Linux 2023

に公開
AWS
Docker
EC2
Amazon Linux
Amazon Linux 2023
tech

TL;DR

Install Docker normally with sudo dnf install docker, disable the standard daemon with sudo systemctl disable --now docker.service docker.socket, then run sudo loginctl enable-linger [UID_OF_USER], and set the following environment variables for the user who will run the Docker daemon:

export XDG_RUNTIME_DIR=/run/user/[UID_OF_USER]
export DOCKER_HOST=unix:///run/user/[UID_OF_USER]/docker.sock

Finally, run curl https://get.docker.com/rootless | sh instead of dockerd-rootless-setuptool.sh install to complete the process. Since VFS would be used by default (which causes terrible performance), manually install the binary for fuse-overlayfs.

Steps and Pitfalls

Step 1: Install Docker from the Amazon Linux repository; do not use the Docker CE repository

The official Docker CE repository does not support Amazon Linux, so we do not use it.

sudo dnf install docker

# Disable Docker running as root
sudo systemctl disable --now docker.service docker.socket

Step 2: Create a dedicated user

The default user for AWS EC2, ec2-user, can run sudo without a password by default. Executing the Docker daemon with a user that is effectively root is not secure, so we create a user named compose for Docker. In this explanation, the UID is set to 1001, so please replace it as necessary.

sudo useradd -d /var/compose -m -s /bin/bash compose
sudo loginctl enable-linger 1001

Step 3: Set environment variables

Set the necessary environment variables by adding the following to ~/.profile or ~/.bashrc, or by any other appropriate method:

export XDG_RUNTIME_DIR=/run/user/1001
export DOCKER_HOST=unix:///run/user/1001/docker.sock

Step 4: Execute dockerd-rootless-setuptool.sh

When installing Docker from the Docker CE repository, dockerd-rootless-setuptool.sh is included, but it is not included in the Docker package from the Amazon Linux repository. We download and run a similar script using curl.

curl https://get.docker.com/rootless | sh

Step 5: Install fuse-overlayfs

The official Amazon Linux repository does not contain fuse-overlayfs, which is recommended for Docker.
https://github.com/amazonlinux/amazon-linux-2023/issues/427

If left as is, VFS will be used as the storage driver, causing catastrophic performance. Fortunately, this fuse-overlayfs works as a single binary. Download the binary matching your architecture from the official GitHub releases page and place it in ~/bin.

https://github.com/containers/fuse-overlayfs/releases

cd bin
wget https://github.com/containers/fuse-overlayfs/releases/download/v1.15/fuse-overlayfs-aarch64

mv fuse-overlayfs-aarch64 fuse-overlayfs
chmod +x ./fuse-overlayfs

Step 6: Verify operation

# Verify that Docker is working
docker run hello-world

Finally, check to ensure that fuse-overlayfs is being used.

[compose@hostname ~]$ ls ~/.local/share/docker
buildkit    containers  fuse-overlayfs  network  runtimes  tmp
containerd  engine-id   image           plugins  swarm     volumes
[compose@hostname ~]$ ls ~/.local/share/docker/fuse-overlayfs
771e0b6b5f4554e34a0d3cd19810722db22bd7c0591504af83acb33a761864c2
d76a6953cd399c40f01f920b535284324b49a86f64719f8eaa06fea01cf8c046
d76a6953cd399c40f01f920b535284324b49a86f64719f8eaa06fea01cf8c046-init
eb695c380602b34e7b7d553a67cb3767bc14c828d890e911ea943e0a17e6a0c0
eb695c380602b34e7b7d553a67cb3767bc14c828d890e911ea943e0a17e6a0c0-init
l

# Confirm that VFS is not being used, just to be sure
[compose@hostname ~]$ ls ~/.local/share/docker/vfs
ls: cannot access '/var/compose/.local/share/docker/vfs': No such file or directory

Discussion