deploy_rootlessdocker.sh
· 2.6 KiB · Bash
Raw
#!/bin/bash
# wget https://gist.githubusercontent.com/waja/0deb4dd5cd759371270dc3e1f5dabcb5/raw/deploy_rootlessdocker.sh -O /tmp/a && sh /tmp/a
# Check if dockerd is installed
[ $(which dockerd) ] || wget https://gist.githubusercontent.com/waja/01ba2641f93f461044f9/raw/docker_deploy.sh \
-O /tmp/docker_deploy.sh && bash /tmp/docker_deploy.sh
# Stop and disable dockerd (runs as root)
systemctl stop docker && systemctl disable docker
# Install curl and needed (new) slirp4netns
apt update && apt install -y curl && \
apt -t buster-backports install -y slirp4netns
# Download and install docker rootless
# Inspired by https://github.com/docker/docker-install/blob/master/rootless-install.sh
tmp=$(mktemp -d)
trap "rm -rf $tmp" EXIT INT TERM
STATIC_RELEASE_ROOTLESS_URL="https://master.dockerproject.org/linux/x86_64/docker-rootless-extras.tgz"
ROOTLESS_BIN="/usr/local/bin/"
cd "$tmp"
curl -L -o rootless.tgz "$STATIC_RELEASE_ROOTLESS_URL"
tar zxf "$tmp/rootless.tgz" -C "$ROOTLESS_BIN" --strip-components=1
cat <<EOF | sh -x
apt install -y uidmap
cat <<EOT > /etc/sysctl.d/50-docker-rootless.conf
# https://github.com/moby/moby/blob/master/docs/rootless.md#debian-gnulinux
kernel.unprivileged_userns_clone = 1
EOT
sysctl --system
EOF
global_priv_ports() {
cat <<EOF >> /etc/sysctl.d/50-docker-rootless.conf
# https://github.com/moby/moby/blob/master/docs/rootless.md#exposing-privileged-ports
net.ipv4.ip_unprivileged_port_start = 0
EOF
sysctl --system
}
# maybe instead of allowing every user to bind on unprivileged ports via sysctl you may set capabilities just for `rootlesskit`. More restriced (and secure) but needs to be set again when redeploying the binary
if [ "${1}" = "--global-priv-ports" ]; then
global_priv_ports
else
if command -v setcap > /dev/null && setcap cap_net_bind_service=ep "$ROOTLESS_BIN/rootlesskit"; then
echo "Exposing privileged ports by setcap worked"
else
global_priv_ports
fi
fi
# https://github.com/moby/moby/blob/master/docs/rootless.md#debian-gnulinux
# Make use of overlay2 storage
cat <<EOF > /etc/modprobe.d/docker-rootless.conf
options overlay permit_mounts_in_userns=1
EOF
#(Re)loading overlay kernel module
rmmod overlay 2> /dev/null; modprobe overlay permit_mounts_in_userns=1
# Set some environment variables and create needed directory
cat <<EOF > /etc/profile.d/docker-rootless.sh
export XDG_RUNTIME_DIR=/tmp/docker-\${UID}
[ -d \${XDG_RUNTIME_DIR} ] || mkdir \${XDG_RUNTIME_DIR}
export DOCKER_HOST=unix:///tmp/docker-\${UID}/docker.sock
export PATH=\$PATH:/sbin
alias dockerd-rootless='dockerd-rootless.sh --experimental --storage-driver overlay2'
EOF
| 1 | #!/bin/bash |
| 2 | # wget https://gist.githubusercontent.com/waja/0deb4dd5cd759371270dc3e1f5dabcb5/raw/deploy_rootlessdocker.sh -O /tmp/a && sh /tmp/a |
| 3 | |
| 4 | # Check if dockerd is installed |
| 5 | [ $(which dockerd) ] || wget https://gist.githubusercontent.com/waja/01ba2641f93f461044f9/raw/docker_deploy.sh \ |
| 6 | -O /tmp/docker_deploy.sh && bash /tmp/docker_deploy.sh |
| 7 | |
| 8 | # Stop and disable dockerd (runs as root) |
| 9 | systemctl stop docker && systemctl disable docker |
| 10 | |
| 11 | # Install curl and needed (new) slirp4netns |
| 12 | apt update && apt install -y curl && \ |
| 13 | apt -t buster-backports install -y slirp4netns |
| 14 | |
| 15 | # Download and install docker rootless |
| 16 | # Inspired by https://github.com/docker/docker-install/blob/master/rootless-install.sh |
| 17 | tmp=$(mktemp -d) |
| 18 | trap "rm -rf $tmp" EXIT INT TERM |
| 19 | STATIC_RELEASE_ROOTLESS_URL="https://master.dockerproject.org/linux/x86_64/docker-rootless-extras.tgz" |
| 20 | ROOTLESS_BIN="/usr/local/bin/" |
| 21 | cd "$tmp" |
| 22 | curl -L -o rootless.tgz "$STATIC_RELEASE_ROOTLESS_URL" |
| 23 | tar zxf "$tmp/rootless.tgz" -C "$ROOTLESS_BIN" --strip-components=1 |
| 24 | |
| 25 | cat <<EOF | sh -x |
| 26 | apt install -y uidmap |
| 27 | cat <<EOT > /etc/sysctl.d/50-docker-rootless.conf |
| 28 | # https://github.com/moby/moby/blob/master/docs/rootless.md#debian-gnulinux |
| 29 | kernel.unprivileged_userns_clone = 1 |
| 30 | EOT |
| 31 | sysctl --system |
| 32 | EOF |
| 33 | |
| 34 | global_priv_ports() { |
| 35 | cat <<EOF >> /etc/sysctl.d/50-docker-rootless.conf |
| 36 | # https://github.com/moby/moby/blob/master/docs/rootless.md#exposing-privileged-ports |
| 37 | net.ipv4.ip_unprivileged_port_start = 0 |
| 38 | EOF |
| 39 | sysctl --system |
| 40 | } |
| 41 | |
| 42 | # maybe instead of allowing every user to bind on unprivileged ports via sysctl you may set capabilities just for `rootlesskit`. More restriced (and secure) but needs to be set again when redeploying the binary |
| 43 | if [ "${1}" = "--global-priv-ports" ]; then |
| 44 | global_priv_ports |
| 45 | else |
| 46 | if command -v setcap > /dev/null && setcap cap_net_bind_service=ep "$ROOTLESS_BIN/rootlesskit"; then |
| 47 | echo "Exposing privileged ports by setcap worked" |
| 48 | else |
| 49 | global_priv_ports |
| 50 | fi |
| 51 | fi |
| 52 | |
| 53 | # https://github.com/moby/moby/blob/master/docs/rootless.md#debian-gnulinux |
| 54 | # Make use of overlay2 storage |
| 55 | cat <<EOF > /etc/modprobe.d/docker-rootless.conf |
| 56 | options overlay permit_mounts_in_userns=1 |
| 57 | EOF |
| 58 | #(Re)loading overlay kernel module |
| 59 | rmmod overlay 2> /dev/null; modprobe overlay permit_mounts_in_userns=1 |
| 60 | |
| 61 | # Set some environment variables and create needed directory |
| 62 | cat <<EOF > /etc/profile.d/docker-rootless.sh |
| 63 | export XDG_RUNTIME_DIR=/tmp/docker-\${UID} |
| 64 | [ -d \${XDG_RUNTIME_DIR} ] || mkdir \${XDG_RUNTIME_DIR} |
| 65 | export DOCKER_HOST=unix:///tmp/docker-\${UID}/docker.sock |
| 66 | export PATH=\$PATH:/sbin |
| 67 | alias dockerd-rootless='dockerd-rootless.sh --experimental --storage-driver overlay2' |
| 68 | EOF |
| 69 |