Docker Container rootless betreiben

newsletter

Cadet 4th Year
Registriert
Okt. 2014
Beiträge
66
Moin,

Ich möchte gerne Docker rootless betreiben.

So sieht es momentan bei mir aus:
Code:
dev@docker:~ $ docker --version
Docker version 24.0.7, build afdd53b

User "dev" ist in docker-gruppe:
Code:
dev@docker:/srv/Testumgebung/Docker/heimdall $ cat /etc/group | grep docker
docker:x:992:dev

Id 1002 ist der dev:
Code:
dev@docker:/srv/Testumgebung/Docker/heimdall $ id dev
uid=1002(dev) gid=1002(dev) groups=1002(dev),100(users),992(docker),1003(share)

bashrc vom user "dev" ganz unten neu:
( nano ~/.bashrc ):

Code:
export DOCKER_CLI_AKV2_ROOTLESS_EXPERIMENTAL=enabled
export PATH=/srv/Testumgebung/Docker:$PATH
export DOCKER_HOST=unix:///run/user/1002/docker.sock

Test von diesem docker compose File unter /srv/Testumgebung/Docker/heimdall:
XML:
---
version: "2.1"
services:
  heimdall:
    image: lscr.io/linuxserver/heimdall:2.5.6
    container_name: heimdall
    environment:
      - PUID=1002
      - PGID=1002
      - TZ=Europe/Berlin
    volumes:
      - /srv/Testumgebung/Docker/heimdall/data:/config
    ports:
      - 3000:80
      - 3001:443
    restart: unless-stopped

Fehlermeldungen:
Code:
dev@docker:/srv/Testumgebung/Docker/heimdall $ docker compose up -d
Cannot connect to the Docker daemon at unix:///run/user/1002/docker.sock. Is the docker daemon running?

Nach entfernen von dieser Zeile innerhalb der ~/.bashrc von dev
Code:
export DOCKER_HOST=unix:///run/user/1002/docker.sock

Kann ich heimdall installieren:
docker compose up -d
Code:
dev@docker:/srv/Testumgebung/Docker/heimdall $ docker compose up -d
[+] Running 10/10
 ✔ heimdall 9 layers [⣿⣿⣿⣿⣿⣿⣿⣿⣿]      0B/0B      Pulled                   41.5s
   ✔ 6dfc71ecd6ee Pull complete                                            1.9s
   ✔ 07a0e16f7be1 Pull complete                                            0.4s
   ✔ efbf43c6653c Pull complete                                            0.5s
   ✔ 757becd0c00b Pull complete                                            2.4s
   ✔ 7afeddcdf0d2 Pull complete                                            1.1s
   ✔ b4d37ceee8d2 Pull complete                                            5.6s
   ✔ 87ef6e75a017 Pull complete                                            2.7s
   ✔ 9d6571547a46 Pull complete                                            7.1s
   ✔ 8574d7774a56 Pull complete                                            3.3s

... funktioniert auch.
... Nur nicht ohne Root:

docker exec heimdall id
Code:
dev@docker:/srv/Testumgebung/Docker/heimdall $ docker exec heimdall id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)


docker exec heimdall ps aux
Code:
dev@docker:/srv/Testumgebung/Docker/heimdall $ docker exec heimdall ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  0.0    200    64 ?        Ss   13:26   0:00 /package/admin/s6/command/s6-svscan -d4 -- /run/service
root          15  0.0  0.0    204    68 ?        S    13:26   0:00 s6-supervise s6-linux-init-shutdownd
root          17  0.0  0.0    192     4 ?        Ss   13:26   0:00 /package/admin/s6-linux-init/command/s6-linux-init-shutdownd -c /run/s6/basedir -g 3000 -C -B
root          38  0.0  0.0    204    64 ?        S    13:26   0:00 s6-supervise svc-queue
root          39  0.0  0.0    204    64 ?        S    13:26   0:00 s6-supervise svc-php-fpm
root          40  0.0  0.0    204    68 ?        S    13:26   0:00 s6-supervise svc-cron
root          41  0.0  0.0    204    64 ?        S    13:26   0:00 s6-supervise svc-nginx
root          42  0.0  0.0    204    68 ?        S    13:26   0:00 s6-supervise s6rc-fdholder
root          43  0.0  0.0    204    68 ?        S    13:26   0:00 s6-supervise s6rc-oneshot-runner
root          51  0.0  0.0    180    48 ?        Ss   13:26   0:00 /package/admin/s6/command/s6-ipcserverd -1 -- /package/admin/s6/command/s6-ipcserver-access -v0 -E -l0 -i data/rules -- /package/admin/s6/command/s6-sudod -t 30000 -- /package/admin/s6-rc/command/s6-rc-oneshot-run -l ../.. --
root         285  0.2  2.1  45716 20052 ?        Ss   13:26   0:00 php-fpm: master process (/etc/php82/php-fpm.conf)
abc          286  1.2  5.0  69124 46788 ?        Ss   13:26   0:01 php /app/www/artisan queue:work database --sleep=3 --tries=3
root         287  0.0  0.6  18104  6344 ?        Ss   13:26   0:00 nginx: master process /usr/sbin/nginx
root         288  0.0  0.1   1696   956 ?        Ss   13:26   0:00 /usr/sbin/crond -f -S -l 5
abc          315  0.0  0.2  18552  2276 ?        S    13:27   0:00 nginx: worker process
abc          316  0.0  0.2  18552  2276 ?        S    13:27   0:00 nginx: worker process
abc          317  0.0  0.2  18552  2276 ?        S    13:27   0:00 nginx: worker process
abc          318  0.0  0.2  18552  2276 ?        S    13:27   0:00 nginx: worker process
abc          319  0.0  0.6  45724  5724 ?        S    13:27   0:00 php-fpm: pool www
abc          320  0.0  0.6  45724  5664 ?        S    13:27   0:00 php-fpm: pool www
root         341  100  0.1   2728  1764 ?        Rs   13:29   0:00 ps aux

inspect heimdall:
Code:
Inspect
49fcba5b69a7d6e866bcdd1549de1fe73f13f7a5a8dbd3074ef8bde2b1fe4581
AppArmorProfile
Args
Config
AttachStderr true
AttachStdin false
AttachStdout true
Cmd
Domainname
Entrypoint [ /init ]
Env [ PGID=1002, TZ=Europe/Berlin, PUID=1002, PATH=/lsiopy/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin, PS1=$(whoami)@$(hostname):$(pwd)\$ , HOME=/root, TERM=xterm, S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0, S6_VERBOSITY=1, S6_STAGE2_HOOK=/docker-mods, VIRTUAL_ENV=/lsiopy, LSIO_FIRST_PARTY=true, S6_BEHAVIOUR_IF_STAGE2_FAILS=2 ]
ExposedPorts { 443/tcp: [object Object], 80/tcp: [object Object] }
Hostname 49fcba5b69a7
Image lscr.io/linuxserver/heimdall:2.5.6
Labels { build_version: Linuxserver.io version:- v2.5.6-ls236 Build-date:- 2023-10-20T18:30:44+00:00, com.docker.compose.config-hash: 13e018d0dbd37bd2d86221e94d4d2a40e9316be7a58478b4a722d34825f47a82, com.docker.compose.container-number: 1, com.docker.compose.depends_on: , com.docker.compose.image: sha256:24cf9ed80be58fd492af419dafc52e39acba70c99604057c95ec03ab89a3cfeb, com.docker.compose.oneoff: False, com.docker.compose.project: heimdall, com.docker.compose.project.config_files: /srv/Testumgebung/Docker/heimdall/docker-compose.yml, com.docker.compose.project.working_dir: /srv/Testumgebung/Docker/heimdall, com.docker.compose.service: heimdall, com.docker.compose.version: 2.21.0, maintainer: aptalca, org.opencontainers.image.authors: linuxserver.io, org.opencontainers.image.created: 2023-10-20T18:30:44+00:00, org.opencontainers.image.description: [Heimdall](https://heimdall.site) is a way to organise all those links to your most used web sites and web applications in a simple way. Simplicity is the key to Heimdall. Why not use it as your browser start page? It even has the ability to include a search bar using either Google, Bing or DuckDuckGo. , org.opencontainers.image.documentation: https://docs.linuxserver.io/images/docker-heimdall, org.opencontainers.image.licenses: GPL-3.0-only, org.opencontainers.image.ref.name: 10c24c4e6c674b29104a081f4dda09f56d334c1c, org.opencontainers.image.revision: 10c24c4e6c674b29104a081f4dda09f56d334c1c, org.opencontainers.image.source: https://github.com/linuxserver/docker-heimdall, org.opencontainers.image.title: Heimdall, org.opencontainers.image.url: https://github.com/linuxserver/docker-heimdall/packages, org.opencontainers.image.vendor: linuxserver.io, org.opencontainers.image.version: v2.5.6-ls236 }
OnBuild
OpenStdin false
StdinOnce false
Tty false
User
Volumes { /config: [object Object] }
WorkingDir /
Created 2023-11-18T12:26:03.493649996Z
Driver overlay2
ExecIDs
GraphDriver
Data { LowerDir: /var/lib/docker/overlay2/b55aa0d5d5970b98ae73893357528e342d2c0365a66395da56310a3cdceaa60d-init/diff:/var/lib/docker/overlay2/395ad0eea4086ccf7491a6f0ee1f561e68dbec30ea87001ea7dda2175a858ae8/diff:/var/lib/docker/overlay2/96eb64693b6d709e3a508d3a7d45acc9d5117ce3ca4e6e881f3831d9428aa676/diff:/var/lib/docker/overlay2/b00f1418ee3b45042c3f52064cff1bfc029369024d9e37084f7a7dfb4ab42b7d/diff:/var/lib/docker/overlay2/70f00b005c5c09db6c1f0569a1c252d31916b7916a7578794925398f2168eff5/diff:/var/lib/docker/overlay2/843c622c5aaa62541432f670c01de2bd730993990eca1a0685da3d1a20dd2811/diff:/var/lib/docker/overlay2/186697fe70b05514784715df390b1e5c63a404ac1f9f9d21018b64e4722ef52e/diff:/var/lib/docker/overlay2/b20f5372eec8c5ef7aa30051d0dc38fd1d63242324b8f75a0519ec8f33359617/diff:/var/lib/docker/overlay2/83c659717ba668a2da4aa1d542af44d7aecff98c87bf47f75a26b7e039d6b2bc/diff:/var/lib/docker/overlay2/e5a4f7a40b40e8155f4f74946d9ba9b489d0fbffe872ffa2dbd7e42f0c0f9dce/diff, MergedDir: /var/lib/docker/overlay2/b55aa0d5d5970b98ae73893357528e342d2c0365a66395da56310a3cdceaa60d/merged, UpperDir: /var/lib/docker/overlay2/b55aa0d5d5970b98ae73893357528e342d2c0365a66395da56310a3cdceaa60d/diff, WorkDir: /var/lib/docker/overlay2/b55aa0d5d5970b98ae73893357528e342d2c0365a66395da56310a3cdceaa60d/work }
Name overlay2
HostConfig
AutoRemove false
Binds [ /srv/Testumgebung/Docker/heimdall/data:/config:rw ]
BlkioDeviceReadBps
BlkioDeviceReadIOps
BlkioDeviceWriteBps
BlkioDeviceWriteIOps
BlkioWeight 0
BlkioWeightDevice
CapAdd
CapDrop
Cgroup
CgroupParent
CgroupnsMode private
ConsoleSize [ 0, 0 ]
ContainerIDFile
CpuCount 0
CpuPercent 0
CpuPeriod 0
CpuQuota 0
CpuRealtimePeriod 0
CpuRealtimeRuntime 0
CpuShares 0
CpusetCpus
CpusetMems
DeviceCgroupRules
DeviceRequests
Devices
Dns
DnsOptions
DnsSearch
ExtraHosts [ ]
GroupAdd
IOMaximumBandwidth 0
IOMaximumIOps 0
IpcMode private
Isolation
Links
LogConfig { Config: [object Object], Type: json-file }
MaskedPaths [ /proc/asound, /proc/acpi, /proc/kcore, /proc/keys, /proc/latency_stats, /proc/timer_list, /proc/timer_stats, /proc/sched_debug, /proc/scsi, /sys/firmware, /sys/devices/virtual/powercap ]
Memory 0
MemoryReservation 0
MemorySwap 0
MemorySwappiness
NanoCpus 0
NetworkMode heimdall_default
OomKillDisable
OomScoreAdj 0
PidMode
PidsLimit
PortBindings { 443/tcp: [object Object], 80/tcp: [object Object] }
Privileged false
PublishAllPorts false
ReadonlyPaths [ /proc/bus, /proc/fs, /proc/irq, /proc/sys, /proc/sysrq-trigger ]
ReadonlyRootfs false
RestartPolicy { MaximumRetryCount: 0, Name: unless-stopped }
Runtime runc
SecurityOpt
ShmSize 67108864
UTSMode
Ulimits
UsernsMode
VolumeDriver
VolumesFrom
HostnamePath /var/lib/docker/containers/49fcba5b69a7d6e866bcdd1549de1fe73f13f7a5a8dbd3074ef8bde2b1fe4581/hostname
HostsPath /var/lib/docker/containers/49fcba5b69a7d6e866bcdd1549de1fe73f13f7a5a8dbd3074ef8bde2b1fe4581/hosts
Id 49fcba5b69a7d6e866bcdd1549de1fe73f13f7a5a8dbd3074ef8bde2b1fe4581
Image sha256:24cf9ed80be58fd492af419dafc52e39acba70c99604057c95ec03ab89a3cfeb
LogPath /var/lib/docker/containers/49fcba5b69a7d6e866bcdd1549de1fe73f13f7a5a8dbd3074ef8bde2b1fe4581/49fcba5b69a7d6e866bcdd1549de1fe73f13f7a5a8dbd3074ef8bde2b1fe4581-json.log
MountLabel
Mounts
0 { Destination: /config, Mode: rw, Propagation: rprivate, RW: true, Source: /srv/Testumgebung/Docker/heimdall/data, Type: bind }
Name /heimdall
NetworkSettings
Bridge
EndpointID
Gateway
GlobalIPv6Address
GlobalIPv6PrefixLen 0
HairpinMode false
IPAddress
IPPrefixLen 0
IPv6Gateway
LinkLocalIPv6Address
LinkLocalIPv6PrefixLen 0
MacAddress
Networks { heimdall_default: [object Object] }
Ports { 443/tcp: [object Object],[object Object], 80/tcp: [object Object],[object Object] }
SandboxID 82d6a9a72d7eed8128c0372fe240e9f03c20c4deda7aa491eea7ceaff9ca0930
SandboxKey /var/run/docker/netns/82d6a9a72d7e
SecondaryIPAddresses
SecondaryIPv6Addresses
Path /init
Platform linux
ProcessLabel
ResolvConfPath /var/lib/docker/containers/49fcba5b69a7d6e866bcdd1549de1fe73f13f7a5a8dbd3074ef8bde2b1fe4581/resolv.conf
RestartCount 0
State
Dead false
Error
ExitCode 0
FinishedAt 0001-01-01T00:00:00Z
OOMKilled false
Paused false
Pid 2410
Restarting false
Running true
StartedAt 2023-11-18T12:26:13.883057523Z
Status running

Logs

Code:
[migrations] started
[migrations] 01-nginx-site-confs-default: executing...
[migrations] 01-nginx-site-confs-default: succeeded
[migrations] 02-default-location: executing...
[migrations] 02-default-location: succeeded
[migrations] done
───────────────────────────────────────
      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝
   Brought to you by linuxserver.io
───────────────────────────────────────
To support LSIO projects visit:
https://www.linuxserver.io/donate/
───────────────────────────────────────
GID/UID
───────────────────────────────────────
User UID:    1002
User GID:    1002
───────────────────────────────────────
Setting resolver to  127.0.0.11
Setting worker_processes to 4
generating self-signed keys in /config/keys, you can replace these with your own keys if required
....+...+...+....+...+........+...+....+......+..+++++++++++++++++++++++++++++++++++++++*........+...+....+...+.....+....+...........+....+...+...+...+..+....+.....+.+...+.....+......+....+.....+.+++++++++++++++++++++++++++++++++++++++*........+................+..+.......+.....++++++
..........+.....+++++++++++++++++++++++++++++++++++++++*............+......+.+.........+..+....+...+..+.+..+............+...+++++++++++++++++++++++++++++++++++++++*..+...+....+..............+.....................................+..+...+...+.+...+..+..........+.....+.+.................+......+.......+........+.........+.+..++++++
-----
New container detected, installing Heimdall
chown: cannot dereference '/app/www/database/app.sqlite': No such file or directory
chown: cannot dereference '/app/www/.env': No such file or directory
Creating app key. This may take a while on slower systems
Application key set successfully.
[custom-init] No custom files found, skipping...
[ls.io-init] done.


....was mache ich falsch?
 
Hallo

Bin nicht der docker Experte und müsste mir dazu meine Container mal anschauen, aber:


Im Container läuft meist alles unter Root und beginnt ab PID 1.
Nur außerhalb vom Container nicht.
Das heißt die PIDs des Containers auf dem Host sollten mit PID 1002 laufen.

Beste Grüße
 
  • Gefällt mir
Reaktionen: newsletter
Zurück
Oben