Last active
June 11, 2022 16:01
-
-
Save mmguero/fc4da93bec8519dbe8d4acf0c114bab4 to your computer and use it in GitHub Desktop.
Vagrantfile for Debian 11 with rootless docker
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| unless Vagrant.has_plugin?("vagrant-sshfs") | |
| raise 'vagrant-sshfs plugin is not installed!' | |
| end | |
| unless Vagrant.has_plugin?("vagrant-reload") | |
| raise 'vagrant-reload plugin is not installed!' | |
| end | |
| # hack: https://github.com/hashicorp/vagrant/issues/8878#issuecomment-345112810 | |
| class VagrantPlugins::ProviderVirtualBox::Action::Network | |
| def dhcp_server_matches_config?(dhcp_server, config) | |
| true | |
| end | |
| end | |
| Vagrant.configure("2") do |config| | |
| config.vm.box = "bento/debian-11" | |
| config.vm.network "private_network", type: "dhcp" | |
| config.vm.synced_folder '.', '/vagrant', disabled: true | |
| if Vagrant.has_plugin?("vagrant-vbguest") | |
| config.vbguest.auto_update = false | |
| end | |
| config.vm.provider "virtualbox" do |vb| | |
| vb.memory = "8192" | |
| vb.cpus = 4 | |
| end | |
| config.vm.provider "libvirt" do |lv| | |
| lv.memory = "8192" | |
| lv.cpus = 4 | |
| end | |
| config.vm.provision "shell", inline: <<-STEP1 | |
| dpkg-reconfigure debconf -f noninteractive -p critical | |
| export DEBIAN_FRONTEND=noninteractive | |
| sed -i "s/main/main contrib non-free/g" /etc/apt/sources.list | |
| echo "deb http://httpredir.debian.org/debian/ bullseye-backports main contrib non-free" >> /etc/apt/sources.list | |
| echo "deb-src http://httpredir.debian.org/debian/ bullseye-backports main contrib non-free" >> /etc/apt/sources.list | |
| apt-get -qqy update | |
| apt-get -t bullseye-backports -y install \ | |
| linux-headers-amd64 dkms build-essential gcc \ | |
| jq bc rsync git bat moreutils iptables tmux libcap2-bin \ | |
| apt-transport-https ca-certificates \ | |
| curl gnupg2 software-properties-common \ | |
| uidmap fuse-overlayfs | |
| ln -s -r /usr/bin/batcat /usr/bin/bat | |
| sed -i 's/^GRUB_CMDLINE_LINUX_DEFAULT=.*/GRUB_CMDLINE_LINUX_DEFAULT="random.trust_cpu=on elevator=deadline cgroup_enable=memory swapaccount=1 cgroup.memory=nokmem systemd.unified_cgroup_hierarchy=0"/' /etc/default/grub | |
| update-grub | |
| echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.conf | |
| echo "options overlay permit_mounts_in_userns=1" >> /etc/modprobe.d/docker.conf | |
| mkdir -p /etc/systemd/system/[email protected] | |
| echo -e "[Service]\\nDelegate=cpu cpuset io memory pids" >> /etc/systemd/system/[email protected]/delegate.conf | |
| loginctl enable-linger vagrant | |
| touch /root/.hushlogin | |
| echo "set nocompatible" > /root/.vimrc | |
| STEP1 | |
| config.vm.provision :reload | |
| config.vm.provision "shell", privileged: false, inline: <<-STEP3 | |
| mkdir -p /home/vagrant/.config/systemd/user /home/vagrant/.local/bin /home/vagrant/tmp | |
| ln -s -f -r /home/vagrant/.local/bin /home/vagrant/bin | |
| git clone --recursive --single-branch --depth 1 https://github.com/mmguero/config /home/vagrant/.config/mmguero.config | |
| touch /home/vagrant/.hushlogin | |
| echo "set nocompatible" > /home/vagrant/.vimrc | |
| rm -f /home/vagrant/.bashrc | |
| ln -s -f -r /home/vagrant/.config/mmguero.config/bash/rc /home/vagrant/.bashrc | |
| ln -s -f -r /home/vagrant/.config/mmguero.config/bash/rc.d /home/vagrant/.bashrc.d | |
| ln -s -f -r /home/vagrant/.config/mmguero.config/bash/aliases /home/vagrant/.bash_aliases | |
| ln -s -f -r /home/vagrant/.config/mmguero.config/bash/functions /home/vagrant/.bash_functions | |
| ln -s -f -r /home/vagrant/.config/mmguero.config/bash/context-color/context-color /home/vagrant/.local/bin/context-color | |
| ln -s -f -r /home/vagrant/.config/mmguero.config/bash/development_setup.sh /home/vagrant/.local/bin/development_setup.sh | |
| ln -s -f -r /home/vagrant/.config/mmguero.config/linux/tmux/tmux.conf /home/vagrant/.tmux.conf | |
| ln -s -f -r /home/vagrant/.config/mmguero.config/git/gitconfig /home/vagrant/.gitconfig | |
| curl -fsSL https://get.docker.com/rootless | bash | |
| curl -fsSL "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /home/vagrant/.local/bin/docker-compose | |
| chmod 755 /home/vagrant/.local/bin/docker-compose | |
| echo -e "\\nexport DOCKER_HOST=unix:///run/user/1000/docker.sock" >> /home/vagrant/.bashrc.d/05_docker.bashrc | |
| STEP3 | |
| # allow some elevated privileges (raw sockets, binding to ports <1024, promiscuous capture, mlock, etc.) | |
| config.vm.provision "shell", inline: <<-STEP4 | |
| setcap 'CAP_IPC_LOCK+eip CAP_NET_ADMIN+eip CAP_NET_BIND_SERVICE+eip CAP_NET_RAW+eip' /home/vagrant/bin/rootlesskit | |
| STEP4 | |
| config.vm.provision "shell", privileged: false, inline: <<-STEP5 | |
| sed -i "s@\\(dockerd-rootless\\.sh\\)@\\1 --storage-driver=fuse-overlayfs@" /home/vagrant/.config/systemd/user/docker.service | |
| systemctl --user enable docker | |
| systemctl --user daemon-reload | |
| systemctl --user restart docker | |
| STEP5 | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment