Änderungen von gist:7956f29659644822b5a669bacf128a1b

Jan Wagner hat die Gist bearbeitet 6 years ago. Zu Änderung gehen

1 file changed, 1 insertion, 1 deletion

deploy_rootlessdocker.sh

			@@ -6,7 +6,7 @@
6	6		-O /tmp/docker_deploy.sh && bash /tmp/docker_deploy.sh
7	7
8	8		# Stop and disable dockerd (runs as root)
9		-	systemctl stop docker && systemctl disable docker
	9	+	systemctl stop docker && systemctl disable docker && systemctl disable docker.socket
10	10
11	11		# Install curl and needed (new) slirp4netns
12	12		apt update && apt install -y curl && \

Jan Wagner hat die Gist bearbeitet 6 years ago. Zu Änderung gehen

1 file changed, 2 insertions

deploy_rootlessdocker.sh

			@@ -27,6 +27,8 @@ apt install -y uidmap
27	27		cat <<EOT > /etc/sysctl.d/50-docker-rootless.conf
28	28		# https://github.com/moby/moby/blob/master/docs/rootless.md#debian-gnulinux
29	29		kernel.unprivileged_userns_clone = 1
	30	+	# https://github.com/moby/moby/blob/master/docs/rootless.md#routing-ping-packets
	31	+	net.ipv4.ping_group_range = 0 2147483647
30	32		EOT
31	33		sysctl --system
32	34		EOF

Jan Wagner hat die Gist bearbeitet 6 years ago. Zu Änderung gehen

1 file changed, 2 insertions

deploy_rootlessdocker.sh

			@@ -55,6 +55,8 @@ fi
55	55		cat <<EOF > /etc/modprobe.d/docker-rootless.conf
56	56		options overlay permit_mounts_in_userns=1
57	57		EOF
	58	+	#(Re)loading overlay kernel module
	59	+	rmmod overlay 2> /dev/null; modprobe overlay permit_mounts_in_userns=1
58	60
59	61		# Set some environment variables and create needed directory
60	62		cat <<EOF > /etc/profile.d/docker-rootless.sh

Jan Wagner hat die Gist bearbeitet 6 years ago. Zu Änderung gehen

1 file changed, 1 insertion

deploy_rootlessdocker.sh

			@@ -13,6 +13,7 @@ apt update && apt install -y curl && \
13	13		apt -t buster-backports install -y slirp4netns
14	14
15	15		# Download and install docker rootless
	16	+	# Inspired by https://github.com/docker/docker-install/blob/master/rootless-install.sh
16	17		tmp=$(mktemp -d)
17	18		trap "rm -rf $tmp" EXIT INT TERM
18	19		STATIC_RELEASE_ROOTLESS_URL="https://master.dockerproject.org/linux/x86_64/docker-rootless-extras.tgz"

Jan Wagner hat die Gist bearbeitet 6 years ago. Zu Änderung gehen

1 file changed, 20 insertions, 3 deletions

deploy_rootlessdocker.sh

			@@ -21,17 +21,34 @@ cd "$tmp"
21	21		curl -L -o rootless.tgz "$STATIC_RELEASE_ROOTLESS_URL"
22	22		tar zxf "$tmp/rootless.tgz" -C "$ROOTLESS_BIN" --strip-components=1
23	23
24		-	# https://github.com/moby/moby/blob/master/docs/rootless.md#debian-gnulinux
25		-	# https://github.com/moby/moby/blob/master/docs/rootless.md#routing-ping-packets
26	24		cat <<EOF \| sh -x
27	25		apt install -y uidmap
28	26		cat <<EOT > /etc/sysctl.d/50-docker-rootless.conf
	27	+	# https://github.com/moby/moby/blob/master/docs/rootless.md#debian-gnulinux
29	28		kernel.unprivileged_userns_clone = 1
30		-	net.ipv4.ping_group_range = 0 2147483647
31	29		EOT
32	30		sysctl --system
33	31		EOF
34	32
	33	+	global_priv_ports() {
	34	+	cat <<EOF >> /etc/sysctl.d/50-docker-rootless.conf
	35	+	# https://github.com/moby/moby/blob/master/docs/rootless.md#exposing-privileged-ports
	36	+	net.ipv4.ip_unprivileged_port_start = 0
	37	+	EOF
	38	+	sysctl --system
	39	+	}
	40	+
	41	+	# maybe instead of allowing every user to bind on unprivileged ports via sysctl you may set capabilities just for `rootlesskit`. More restriced (and secure) but needs to be set again when redeploying the binary
	42	+	if [ "${1}" = "--global-priv-ports" ]; then
	43	+	global_priv_ports
	44	+	else
	45	+	if command -v setcap > /dev/null && setcap cap_net_bind_service=ep "$ROOTLESS_BIN/rootlesskit"; then
	46	+	echo "Exposing privileged ports by setcap worked"
	47	+	else
	48	+	global_priv_ports
	49	+	fi
	50	+	fi
	51	+
35	52		# https://github.com/moby/moby/blob/master/docs/rootless.md#debian-gnulinux
36	53		# Make use of overlay2 storage
37	54		cat <<EOF > /etc/modprobe.d/docker-rootless.conf

Jan Wagner hat die Gist bearbeitet 6 years ago. Zu Änderung gehen

1 file changed, 8 insertions, 2 deletions

deploy_rootlessdocker.sh

			@@ -21,7 +21,7 @@ cd "$tmp"
21	21		curl -L -o rootless.tgz "$STATIC_RELEASE_ROOTLESS_URL"
22	22		tar zxf "$tmp/rootless.tgz" -C "$ROOTLESS_BIN" --strip-components=1
23	23
24		-	# https://github.com/moby/moby/blob/master/docs/rootless.md#debian-excluding-ubuntu
	24	+	# https://github.com/moby/moby/blob/master/docs/rootless.md#debian-gnulinux
25	25		# https://github.com/moby/moby/blob/master/docs/rootless.md#routing-ping-packets
26	26		cat <<EOF \| sh -x
27	27		apt install -y uidmap
			@@ -32,11 +32,17 @@ EOT
32	32		sysctl --system
33	33		EOF
34	34
	35	+	# https://github.com/moby/moby/blob/master/docs/rootless.md#debian-gnulinux
	36	+	# Make use of overlay2 storage
	37	+	cat <<EOF > /etc/modprobe.d/docker-rootless.conf
	38	+	options overlay permit_mounts_in_userns=1
	39	+	EOF
	40	+
35	41		# Set some environment variables and create needed directory
36	42		cat <<EOF > /etc/profile.d/docker-rootless.sh
37	43		export XDG_RUNTIME_DIR=/tmp/docker-\${UID}
38	44		[ -d \${XDG_RUNTIME_DIR} ] \|\| mkdir \${XDG_RUNTIME_DIR}
39	45		export DOCKER_HOST=unix:///tmp/docker-\${UID}/docker.sock
40	46		export PATH=\$PATH:/sbin
41		-	alias dockerd-rootless='dockerd-rootless.sh --experimental --storage-driver vfs'
	47	+	alias dockerd-rootless='dockerd-rootless.sh --experimental --storage-driver overlay2'
42	48		EOF

Jan Wagner hat die Gist bearbeitet 6 years ago. Zu Änderung gehen

1 file changed, 2 insertions, 1 deletion

deploy_rootlessdocker.sh

			@@ -25,13 +25,14 @@ tar zxf "$tmp/rootless.tgz" -C "$ROOTLESS_BIN" --strip-components=1
25	25		# https://github.com/moby/moby/blob/master/docs/rootless.md#routing-ping-packets
26	26		cat <<EOF \| sh -x
27	27		apt install -y uidmap
28		-	cat <<EOT > /etc/sysctl.d/50-rootless.conf
	28	+	cat <<EOT > /etc/sysctl.d/50-docker-rootless.conf
29	29		kernel.unprivileged_userns_clone = 1
30	30		net.ipv4.ping_group_range = 0 2147483647
31	31		EOT
32	32		sysctl --system
33	33		EOF
34	34
	35	+	# Set some environment variables and create needed directory
35	36		cat <<EOF > /etc/profile.d/docker-rootless.sh
36	37		export XDG_RUNTIME_DIR=/tmp/docker-\${UID}
37	38		[ -d \${XDG_RUNTIME_DIR} ] \|\| mkdir \${XDG_RUNTIME_DIR}

Jan Wagner hat die Gist bearbeitet 6 years ago. Zu Änderung gehen

1 file changed, 5 insertions, 4 deletions

deploy_rootlessdocker.sh

			@@ -33,8 +33,9 @@ sysctl --system
33	33		EOF
34	34
35	35		cat <<EOF > /etc/profile.d/docker-rootless.sh
36		-	export XDG_RUNTIME_DIR=/tmp/docker-${UID}
37		-	[ -d ${XDG_RUNTIME_DIR} ] \|\| mkdir ${XDG_RUNTIME_DIR}
38		-	export DOCKER_HOST=unix:///tmp/docker-${UID}/docker.sock
39		-	export PATH=$PATH:/sbin
	36	+	export XDG_RUNTIME_DIR=/tmp/docker-\${UID}
	37	+	[ -d \${XDG_RUNTIME_DIR} ] \|\| mkdir \${XDG_RUNTIME_DIR}
	38	+	export DOCKER_HOST=unix:///tmp/docker-\${UID}/docker.sock
	39	+	export PATH=\$PATH:/sbin
	40	+	alias dockerd-rootless='dockerd-rootless.sh --experimental --storage-driver vfs'
40	41		EOF

waja hat die Gist bearbeitet 6 years ago. Zu Änderung gehen

1 file changed, 40 insertions

deploy_rootlessdocker.sh(Datei erstellt)

		@@ -0,0 +1,40 @@
1	+	#!/bin/bash
2	+	# wget https://gist.githubusercontent.com/waja/0deb4dd5cd759371270dc3e1f5dabcb5/raw/deploy_rootlessdocker.sh -O /tmp/a && sh /tmp/a
3	+
4	+	# Check if dockerd is installed
5	+	[ $(which dockerd) ] \|\| wget https://gist.githubusercontent.com/waja/01ba2641f93f461044f9/raw/docker_deploy.sh \
6	+	-O /tmp/docker_deploy.sh && bash /tmp/docker_deploy.sh
7	+
8	+	# Stop and disable dockerd (runs as root)
9	+	systemctl stop docker && systemctl disable docker
10	+
11	+	# Install curl and needed (new) slirp4netns
12	+	apt update && apt install -y curl && \
13	+	apt -t buster-backports install -y slirp4netns
14	+
15	+	# Download and install docker rootless
16	+	tmp=$(mktemp -d)
17	+	trap "rm -rf $tmp" EXIT INT TERM
18	+	STATIC_RELEASE_ROOTLESS_URL="https://master.dockerproject.org/linux/x86_64/docker-rootless-extras.tgz"
19	+	ROOTLESS_BIN="/usr/local/bin/"
20	+	cd "$tmp"
21	+	curl -L -o rootless.tgz "$STATIC_RELEASE_ROOTLESS_URL"
22	+	tar zxf "$tmp/rootless.tgz" -C "$ROOTLESS_BIN" --strip-components=1
23	+
24	+	# https://github.com/moby/moby/blob/master/docs/rootless.md#debian-excluding-ubuntu
25	+	# https://github.com/moby/moby/blob/master/docs/rootless.md#routing-ping-packets
26	+	cat <<EOF \| sh -x
27	+	apt install -y uidmap
28	+	cat <<EOT > /etc/sysctl.d/50-rootless.conf
29	+	kernel.unprivileged_userns_clone = 1
30	+	net.ipv4.ping_group_range = 0 2147483647
31	+	EOT
32	+	sysctl --system
33	+	EOF
34	+
35	+	cat <<EOF > /etc/profile.d/docker-rootless.sh
36	+	export XDG_RUNTIME_DIR=/tmp/docker-${UID}
37	+	[ -d ${XDG_RUNTIME_DIR} ] \|\| mkdir ${XDG_RUNTIME_DIR}
38	+	export DOCKER_HOST=unix:///tmp/docker-${UID}/docker.sock
39	+	export PATH=$PATH:/sbin
40	+	EOF

Neuer Älter