Last active
December 8, 2022 14:44
-
-
Save waja/0deb4dd5cd759371270dc3e1f5dabcb5 to your computer and use it in GitHub Desktop.
Deploy rootless docker (on debian buster)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # wget https://gist.githubusercontent.com/waja/0deb4dd5cd759371270dc3e1f5dabcb5/raw/deploy_rootlessdocker.sh -O /tmp/a && sh /tmp/a | |
| # Check if dockerd is installed | |
| [ $(which dockerd) ] || wget https://gist.githubusercontent.com/waja/01ba2641f93f461044f9/raw/docker_deploy.sh \ | |
| -O /tmp/docker_deploy.sh && bash /tmp/docker_deploy.sh | |
| # Stop and disable dockerd (runs as root) | |
| systemctl stop docker && systemctl disable docker && systemctl disable docker.socket | |
| # Install curl and needed (new) slirp4netns | |
| apt update && apt install -y curl && \ | |
| apt -t buster-backports install -y slirp4netns | |
| # Download and install docker rootless | |
| # Inspired by https://github.com/docker/docker-install/blob/master/rootless-install.sh | |
| tmp=$(mktemp -d) | |
| trap "rm -rf $tmp" EXIT INT TERM | |
| STATIC_RELEASE_ROOTLESS_URL="https://master.dockerproject.org/linux/x86_64/docker-rootless-extras.tgz" | |
| ROOTLESS_BIN="/usr/local/bin/" | |
| cd "$tmp" | |
| curl -L -o rootless.tgz "$STATIC_RELEASE_ROOTLESS_URL" | |
| tar zxf "$tmp/rootless.tgz" -C "$ROOTLESS_BIN" --strip-components=1 | |
| cat <<EOF | sh -x | |
| apt install -y uidmap | |
| cat <<EOT > /etc/sysctl.d/50-docker-rootless.conf | |
| # https://github.com/moby/moby/blob/master/docs/rootless.md#debian-gnulinux | |
| kernel.unprivileged_userns_clone = 1 | |
| # https://github.com/moby/moby/blob/master/docs/rootless.md#routing-ping-packets | |
| net.ipv4.ping_group_range = 0 2147483647 | |
| EOT | |
| sysctl --system | |
| EOF | |
| global_priv_ports() { | |
| cat <<EOF >> /etc/sysctl.d/50-docker-rootless.conf | |
| # https://github.com/moby/moby/blob/master/docs/rootless.md#exposing-privileged-ports | |
| net.ipv4.ip_unprivileged_port_start = 0 | |
| EOF | |
| sysctl --system | |
| } | |
| # maybe instead of allowing every user to bind on unprivileged ports via sysctl you may set capabilities just for `rootlesskit`. More restriced (and secure) but needs to be set again when redeploying the binary | |
| if [ "${1}" = "--global-priv-ports" ]; then | |
| global_priv_ports | |
| else | |
| if command -v setcap > /dev/null && setcap cap_net_bind_service=ep "$ROOTLESS_BIN/rootlesskit"; then | |
| echo "Exposing privileged ports by setcap worked" | |
| else | |
| global_priv_ports | |
| fi | |
| fi | |
| # https://github.com/moby/moby/blob/master/docs/rootless.md#debian-gnulinux | |
| # Make use of overlay2 storage | |
| cat <<EOF > /etc/modprobe.d/docker-rootless.conf | |
| options overlay permit_mounts_in_userns=1 | |
| EOF | |
| #(Re)loading overlay kernel module | |
| rmmod overlay 2> /dev/null; modprobe overlay permit_mounts_in_userns=1 | |
| # Set some environment variables and create needed directory | |
| cat <<EOF > /etc/profile.d/docker-rootless.sh | |
| export XDG_RUNTIME_DIR=/tmp/docker-\${UID} | |
| [ -d \${XDG_RUNTIME_DIR} ] || mkdir \${XDG_RUNTIME_DIR} | |
| export DOCKER_HOST=unix:///tmp/docker-\${UID}/docker.sock | |
| export PATH=\$PATH:/sbin | |
| alias dockerd-rootless='dockerd-rootless.sh --experimental --storage-driver overlay2' | |
| EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment