Jan Wagner 已修改 6 years ago. 還原成這個修訂版本
1 file changed, 1 insertion, 1 deletion
deploy_rootlessdocker.sh
| @@ -6,7 +6,7 @@ | |||
| 6 | 6 | -O /tmp/docker_deploy.sh && bash /tmp/docker_deploy.sh | |
| 7 | 7 | ||
| 8 | 8 | # Stop and disable dockerd (runs as root) | |
| 9 | - | systemctl stop docker && systemctl disable docker | |
| 9 | + | systemctl stop docker && systemctl disable docker && systemctl disable docker.socket | |
| 10 | 10 | ||
| 11 | 11 | # Install curl and needed (new) slirp4netns | |
| 12 | 12 | apt update && apt install -y curl && \ | |
Jan Wagner 已修改 6 years ago. 還原成這個修訂版本
1 file changed, 2 insertions
deploy_rootlessdocker.sh
| @@ -27,6 +27,8 @@ apt install -y uidmap | |||
| 27 | 27 | cat <<EOT > /etc/sysctl.d/50-docker-rootless.conf | |
| 28 | 28 | # https://github.com/moby/moby/blob/master/docs/rootless.md#debian-gnulinux | |
| 29 | 29 | kernel.unprivileged_userns_clone = 1 | |
| 30 | + | # https://github.com/moby/moby/blob/master/docs/rootless.md#routing-ping-packets | |
| 31 | + | net.ipv4.ping_group_range = 0 2147483647 | |
| 30 | 32 | EOT | |
| 31 | 33 | sysctl --system | |
| 32 | 34 | EOF | |
Jan Wagner 已修改 6 years ago. 還原成這個修訂版本
1 file changed, 2 insertions
deploy_rootlessdocker.sh
| @@ -55,6 +55,8 @@ fi | |||
| 55 | 55 | cat <<EOF > /etc/modprobe.d/docker-rootless.conf | |
| 56 | 56 | options overlay permit_mounts_in_userns=1 | |
| 57 | 57 | EOF | |
| 58 | + | #(Re)loading overlay kernel module | |
| 59 | + | rmmod overlay 2> /dev/null; modprobe overlay permit_mounts_in_userns=1 | |
| 58 | 60 | ||
| 59 | 61 | # Set some environment variables and create needed directory | |
| 60 | 62 | cat <<EOF > /etc/profile.d/docker-rootless.sh | |
Jan Wagner 已修改 6 years ago. 還原成這個修訂版本
1 file changed, 1 insertion
deploy_rootlessdocker.sh
| @@ -13,6 +13,7 @@ apt update && apt install -y curl && \ | |||
| 13 | 13 | apt -t buster-backports install -y slirp4netns | |
| 14 | 14 | ||
| 15 | 15 | # Download and install docker rootless | |
| 16 | + | # Inspired by https://github.com/docker/docker-install/blob/master/rootless-install.sh | |
| 16 | 17 | tmp=$(mktemp -d) | |
| 17 | 18 | trap "rm -rf $tmp" EXIT INT TERM | |
| 18 | 19 | STATIC_RELEASE_ROOTLESS_URL="https://master.dockerproject.org/linux/x86_64/docker-rootless-extras.tgz" | |
Jan Wagner 已修改 6 years ago. 還原成這個修訂版本
1 file changed, 20 insertions, 3 deletions
deploy_rootlessdocker.sh
| @@ -21,17 +21,34 @@ cd "$tmp" | |||
| 21 | 21 | curl -L -o rootless.tgz "$STATIC_RELEASE_ROOTLESS_URL" | |
| 22 | 22 | tar zxf "$tmp/rootless.tgz" -C "$ROOTLESS_BIN" --strip-components=1 | |
| 23 | 23 | ||
| 24 | - | # https://github.com/moby/moby/blob/master/docs/rootless.md#debian-gnulinux | |
| 25 | - | # https://github.com/moby/moby/blob/master/docs/rootless.md#routing-ping-packets | |
| 26 | 24 | cat <<EOF | sh -x | |
| 27 | 25 | apt install -y uidmap | |
| 28 | 26 | cat <<EOT > /etc/sysctl.d/50-docker-rootless.conf | |
| 27 | + | # https://github.com/moby/moby/blob/master/docs/rootless.md#debian-gnulinux | |
| 29 | 28 | kernel.unprivileged_userns_clone = 1 | |
| 30 | - | net.ipv4.ping_group_range = 0 2147483647 | |
| 31 | 29 | EOT | |
| 32 | 30 | sysctl --system | |
| 33 | 31 | EOF | |
| 34 | 32 | ||
| 33 | + | global_priv_ports() { | |
| 34 | + | cat <<EOF >> /etc/sysctl.d/50-docker-rootless.conf | |
| 35 | + | # https://github.com/moby/moby/blob/master/docs/rootless.md#exposing-privileged-ports | |
| 36 | + | net.ipv4.ip_unprivileged_port_start = 0 | |
| 37 | + | EOF | |
| 38 | + | sysctl --system | |
| 39 | + | } | |
| 40 | + | ||
| 41 | + | # maybe instead of allowing every user to bind on unprivileged ports via sysctl you may set capabilities just for `rootlesskit`. More restriced (and secure) but needs to be set again when redeploying the binary | |
| 42 | + | if [ "${1}" = "--global-priv-ports" ]; then | |
| 43 | + | global_priv_ports | |
| 44 | + | else | |
| 45 | + | if command -v setcap > /dev/null && setcap cap_net_bind_service=ep "$ROOTLESS_BIN/rootlesskit"; then | |
| 46 | + | echo "Exposing privileged ports by setcap worked" | |
| 47 | + | else | |
| 48 | + | global_priv_ports | |
| 49 | + | fi | |
| 50 | + | fi | |
| 51 | + | ||
| 35 | 52 | # https://github.com/moby/moby/blob/master/docs/rootless.md#debian-gnulinux | |
| 36 | 53 | # Make use of overlay2 storage | |
| 37 | 54 | cat <<EOF > /etc/modprobe.d/docker-rootless.conf | |
Jan Wagner 已修改 6 years ago. 還原成這個修訂版本
1 file changed, 8 insertions, 2 deletions
deploy_rootlessdocker.sh
| @@ -21,7 +21,7 @@ cd "$tmp" | |||
| 21 | 21 | curl -L -o rootless.tgz "$STATIC_RELEASE_ROOTLESS_URL" | |
| 22 | 22 | tar zxf "$tmp/rootless.tgz" -C "$ROOTLESS_BIN" --strip-components=1 | |
| 23 | 23 | ||
| 24 | - | # https://github.com/moby/moby/blob/master/docs/rootless.md#debian-excluding-ubuntu | |
| 24 | + | # https://github.com/moby/moby/blob/master/docs/rootless.md#debian-gnulinux | |
| 25 | 25 | # https://github.com/moby/moby/blob/master/docs/rootless.md#routing-ping-packets | |
| 26 | 26 | cat <<EOF | sh -x | |
| 27 | 27 | apt install -y uidmap | |
| @@ -32,11 +32,17 @@ EOT | |||
| 32 | 32 | sysctl --system | |
| 33 | 33 | EOF | |
| 34 | 34 | ||
| 35 | + | # https://github.com/moby/moby/blob/master/docs/rootless.md#debian-gnulinux | |
| 36 | + | # Make use of overlay2 storage | |
| 37 | + | cat <<EOF > /etc/modprobe.d/docker-rootless.conf | |
| 38 | + | options overlay permit_mounts_in_userns=1 | |
| 39 | + | EOF | |
| 40 | + | ||
| 35 | 41 | # Set some environment variables and create needed directory | |
| 36 | 42 | cat <<EOF > /etc/profile.d/docker-rootless.sh | |
| 37 | 43 | export XDG_RUNTIME_DIR=/tmp/docker-\${UID} | |
| 38 | 44 | [ -d \${XDG_RUNTIME_DIR} ] || mkdir \${XDG_RUNTIME_DIR} | |
| 39 | 45 | export DOCKER_HOST=unix:///tmp/docker-\${UID}/docker.sock | |
| 40 | 46 | export PATH=\$PATH:/sbin | |
| 41 | - | alias dockerd-rootless='dockerd-rootless.sh --experimental --storage-driver vfs' | |
| 47 | + | alias dockerd-rootless='dockerd-rootless.sh --experimental --storage-driver overlay2' | |
| 42 | 48 | EOF | |
Jan Wagner 已修改 6 years ago. 還原成這個修訂版本
1 file changed, 2 insertions, 1 deletion
deploy_rootlessdocker.sh
| @@ -25,13 +25,14 @@ tar zxf "$tmp/rootless.tgz" -C "$ROOTLESS_BIN" --strip-components=1 | |||
| 25 | 25 | # https://github.com/moby/moby/blob/master/docs/rootless.md#routing-ping-packets | |
| 26 | 26 | cat <<EOF | sh -x | |
| 27 | 27 | apt install -y uidmap | |
| 28 | - | cat <<EOT > /etc/sysctl.d/50-rootless.conf | |
| 28 | + | cat <<EOT > /etc/sysctl.d/50-docker-rootless.conf | |
| 29 | 29 | kernel.unprivileged_userns_clone = 1 | |
| 30 | 30 | net.ipv4.ping_group_range = 0 2147483647 | |
| 31 | 31 | EOT | |
| 32 | 32 | sysctl --system | |
| 33 | 33 | EOF | |
| 34 | 34 | ||
| 35 | + | # Set some environment variables and create needed directory | |
| 35 | 36 | cat <<EOF > /etc/profile.d/docker-rootless.sh | |
| 36 | 37 | export XDG_RUNTIME_DIR=/tmp/docker-\${UID} | |
| 37 | 38 | [ -d \${XDG_RUNTIME_DIR} ] || mkdir \${XDG_RUNTIME_DIR} | |
Jan Wagner 已修改 6 years ago. 還原成這個修訂版本
1 file changed, 5 insertions, 4 deletions
deploy_rootlessdocker.sh
| @@ -33,8 +33,9 @@ sysctl --system | |||
| 33 | 33 | EOF | |
| 34 | 34 | ||
| 35 | 35 | cat <<EOF > /etc/profile.d/docker-rootless.sh | |
| 36 | - | export XDG_RUNTIME_DIR=/tmp/docker-${UID} | |
| 37 | - | [ -d ${XDG_RUNTIME_DIR} ] || mkdir ${XDG_RUNTIME_DIR} | |
| 38 | - | export DOCKER_HOST=unix:///tmp/docker-${UID}/docker.sock | |
| 39 | - | export PATH=$PATH:/sbin | |
| 36 | + | export XDG_RUNTIME_DIR=/tmp/docker-\${UID} | |
| 37 | + | [ -d \${XDG_RUNTIME_DIR} ] || mkdir \${XDG_RUNTIME_DIR} | |
| 38 | + | export DOCKER_HOST=unix:///tmp/docker-\${UID}/docker.sock | |
| 39 | + | export PATH=\$PATH:/sbin | |
| 40 | + | alias dockerd-rootless='dockerd-rootless.sh --experimental --storage-driver vfs' | |
| 40 | 41 | EOF | |
waja 已修改 6 years ago. 還原成這個修訂版本
1 file changed, 40 insertions
deploy_rootlessdocker.sh(檔案已創建)
| @@ -0,0 +1,40 @@ | |||
| 1 | + | #!/bin/bash | |
| 2 | + | # wget https://gist.githubusercontent.com/waja/0deb4dd5cd759371270dc3e1f5dabcb5/raw/deploy_rootlessdocker.sh -O /tmp/a && sh /tmp/a | |
| 3 | + | ||
| 4 | + | # Check if dockerd is installed | |
| 5 | + | [ $(which dockerd) ] || wget https://gist.githubusercontent.com/waja/01ba2641f93f461044f9/raw/docker_deploy.sh \ | |
| 6 | + | -O /tmp/docker_deploy.sh && bash /tmp/docker_deploy.sh | |
| 7 | + | ||
| 8 | + | # Stop and disable dockerd (runs as root) | |
| 9 | + | systemctl stop docker && systemctl disable docker | |
| 10 | + | ||
| 11 | + | # Install curl and needed (new) slirp4netns | |
| 12 | + | apt update && apt install -y curl && \ | |
| 13 | + | apt -t buster-backports install -y slirp4netns | |
| 14 | + | ||
| 15 | + | # Download and install docker rootless | |
| 16 | + | tmp=$(mktemp -d) | |
| 17 | + | trap "rm -rf $tmp" EXIT INT TERM | |
| 18 | + | STATIC_RELEASE_ROOTLESS_URL="https://master.dockerproject.org/linux/x86_64/docker-rootless-extras.tgz" | |
| 19 | + | ROOTLESS_BIN="/usr/local/bin/" | |
| 20 | + | cd "$tmp" | |
| 21 | + | curl -L -o rootless.tgz "$STATIC_RELEASE_ROOTLESS_URL" | |
| 22 | + | tar zxf "$tmp/rootless.tgz" -C "$ROOTLESS_BIN" --strip-components=1 | |
| 23 | + | ||
| 24 | + | # https://github.com/moby/moby/blob/master/docs/rootless.md#debian-excluding-ubuntu | |
| 25 | + | # https://github.com/moby/moby/blob/master/docs/rootless.md#routing-ping-packets | |
| 26 | + | cat <<EOF | sh -x | |
| 27 | + | apt install -y uidmap | |
| 28 | + | cat <<EOT > /etc/sysctl.d/50-rootless.conf | |
| 29 | + | kernel.unprivileged_userns_clone = 1 | |
| 30 | + | net.ipv4.ping_group_range = 0 2147483647 | |
| 31 | + | EOT | |
| 32 | + | sysctl --system | |
| 33 | + | EOF | |
| 34 | + | ||
| 35 | + | cat <<EOF > /etc/profile.d/docker-rootless.sh | |
| 36 | + | export XDG_RUNTIME_DIR=/tmp/docker-${UID} | |
| 37 | + | [ -d ${XDG_RUNTIME_DIR} ] || mkdir ${XDG_RUNTIME_DIR} | |
| 38 | + | export DOCKER_HOST=unix:///tmp/docker-${UID}/docker.sock | |
| 39 | + | export PATH=$PATH:/sbin | |
| 40 | + | EOF | |