Docker kasutamine operatsioonisüsteemiga Debian - rootless: erinevus redaktsioonide vahel
Allikas: Imre kasutab arvutit
Mine navigeerimisribaleMine otsikasti
| 199. rida: | 199. rida: | ||
root@dh-minio-01:~# brctl show |
root@dh-minio-01:~# brctl show |
||
root@dh-minio-01:~# |
root@dh-minio-01:~# |
||
| + | </pre> |
||
| + | |||
| + | Tunnistus sellest, et liiklust konteineri ja ümbruse vahel käib läbi slirp4netns protsessi, pingimise ajal |
||
| + | |||
| + | <pre> |
||
| + | root@dh-minio-01:~# strace -p 2132 |
||
| + | strace: Process 2132 attached |
||
| + | restart_syscall(<... resuming interrupted poll ...>) = 0 |
||
| + | poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 0 (Timeout) |
||
| + | poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 0 (Timeout) |
||
| + | poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 0 (Timeout) |
||
| + | poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 0 (Timeout) |
||
| + | poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 0 (Timeout) |
||
| + | poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 0 (Timeout) |
||
| + | poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 0 (Timeout) |
||
| + | poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 1 ([{fd=6, revents=POLLIN}]) |
||
| + | read(6, "RU\n\0\2\2\2565a\276^!\10\0E\0\0T\211\355@\0?\1\225H\n\0\2d\10\10"..., 65536) = 98 |
||
| + | socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC, IPPROTO_ICMP) = 3 |
||
| + | sendto(3, "\10\0I\304\0z\0\1\377\332\334i\0\0\0\0\4\251\16\0\0\0\0\0\20\21\22\23\24\25\26\27"..., 64, 0, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("8.8.8.8")}, 16) = 64 |
||
| + | poll([{fd=6, events=POLLIN|POLLHUP}, {fd=3, events=POLLIN|POLLERR|POLLHUP}], 2, 499) = 1 ([{fd=3, revents=POLLIN}]) |
||
| + | recvfrom(3, "\0\0R:\0\4\0\1\377\332\334i\0\0\0\0\4\251\16\0\0\0\0\0\20\21\22\23\24\25\26\27"..., 65500, 0, NULL, NULL) = 64 |
||
| + | write(6, "\2565a\276^!RU\n\0\2\2\10\0E\0\0T\v\22@\0\377\1T#\10\10\10\10\n\0"..., 98) = 98 |
||
| + | close(3) = 0 |
||
| + | poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 1 ([{fd=6, revents=POLLIN}]) |
||
| + | read(6, "RU\n\0\2\2\2565a\276^!\10\0E\0\0T\212&@\0?\1\225\17\n\0\2d\10\10"..., 65536) = 98 |
||
| + | socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC, IPPROTO_ICMP) = 3 |
||
| + | sendto(3, "\10\0\20\276\0z\0\2\0\333\334i\0\0\0\0<\256\16\0\0\0\0\0\20\21\22\23\24\25\26\27"..., 64, 0, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("8.8.8.8")}, 16) = 64 |
||
| + | poll([{fd=6, events=POLLIN|POLLHUP}, {fd=3, events=POLLIN|POLLERR|POLLHUP}], 2, 499) = 1 ([{fd=3, revents=POLLIN}]) |
||
| + | recvfrom(3, "\0\0\0313\0\5\0\2\0\333\334i\0\0\0\0<\256\16\0\0\0\0\0\20\21\22\23\24\25\26\27"..., 65500, 0, NULL, NULL) = 64 |
||
| + | write(6, "\2565a\276^!RU\n\0\2\2\10\0E\0\0T\v\23@\0\377\1T\"\10\10\10\10\n\0"..., 98) = 98 |
||
| + | close(3) = 0 |
||
| + | poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 0 (Timeout) |
||
| + | poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000^Cstrace: Process 2132 detached |
||
</pre> |
</pre> |
||
Redaktsioon: 13. aprill 2026, kell 15:01
Sissejuhatus
TODO
Ettevalmistamine
Paigaldatakse Debian v. 13 ning tarkvara docker-ce tootja repost, 20260413 on v. 1.29
# apt-get install uidmap # modprobe nf_tables bridge-utils
Ning tekitamine olukorra, et arvutis on paigaldatud docker-ce tarkvara, aga ühtegi protsessi ei ole käivitatud
# systemctl disable --now docker.service docker.socket # rm /var/run/docker.sock # reboot
Rootless docker kasutamine
Logitakse süsteemi sisse kasutajana (mitte 'su - kaustaja') kuna on oluline 'systemd --user' keskkonna jaoks olulised omadused, nt
$ env | grep XDG $ XDG_RUNTIME_DIR=/run/user/1000
Paigaldame-seadistame-käivitame rootless docker lahenduse
kasutaja@dh-minio-01:~$ dockerd-rootless-setuptool.sh install
[INFO] Creating /home/kasutaja/.config/systemd/user/docker.service
[INFO] starting systemd service docker.service
+ systemctl --user start docker.service
+ sleep 3
+ systemctl --user --no-pager --full status docker.service
● docker.service - Docker Application Container Engine (Rootless)
Loaded: loaded (/home/kasutaja/.config/systemd/user/docker.service; disabled; preset: enabled)
Active: active (running) since Mon 2026-04-13 14:40:20 EEST; 3s ago
Invocation: 8f913ff96e234029b5789105d9cdeb2b
Docs: https://docs.docker.com/go/rootless/
Main PID: 963 (rootlesskit)
Tasks: 34
Memory: 148M (peak: 148.5M)
CPU: 279ms
CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/docker.service
├─ 963 rootlesskit --state-dir=/run/user/1000/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
├─ 974 /proc/self/exe --state-dir=/run/user/1000/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
├─ 995 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp 974 tap0
├─1003 dockerd
└─1024 containerd --config /run/user/1000/docker/containerd/containerd.toml
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.010977863+03:00" level=warning msg="WARNING: No io.max (rbps) support"
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.010983413+03:00" level=warning msg="WARNING: No io.max (wbps) support"
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.010988243+03:00" level=warning msg="WARNING: No io.max (riops) support"
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.010992940+03:00" level=warning msg="WARNING: No io.max (wiops) support"
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.011008069+03:00" level=info msg="Docker daemon" commit=daa0cb7 containerd-snapshotter=true storage-driver=overlayfs version=29.4.0
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.011096574+03:00" level=info msg="Initializing buildkit"
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.147325130+03:00" level=info msg="Completed buildkit initialization"
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.154119507+03:00" level=info msg="Daemon has completed initialization"
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.154203253+03:00" level=info msg="API listen on /run/user/1000/docker.sock"
Apr 13 14:40:20 dh-minio-01 systemd[803]: Started docker.service - Docker Application Container Engine (Rootless).
+ DOCKER_HOST=unix:///run/user/1000/docker.sock /usr/bin/docker version
Client: Docker Engine - Community
Version: 29.4.0
API version: 1.54
Go version: go1.26.1
Git commit: 9d7ad9f
Built: Tue Apr 7 08:35:38 2026
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 29.4.0
API version: 1.54 (minimum version 1.40)
Go version: go1.26.1
Git commit: daa0cb7
Built: Tue Apr 7 08:35:38 2026
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v2.2.2
GitCommit: 301b2dac98f15c27117da5c8af12118a041a31d9
runc:
Version: 1.3.4
GitCommit: v1.3.4-0-gd6d73eb8
docker-init:
Version: 0.19.0
GitCommit: de40ad0
rootlesskit:
Version: 2.3.6
ApiVersion: 1.1.1
NetworkDriver: slirp4netns
PortDriver: builtin
StateDir: /run/user/1000/dockerd-rootless
slirp4netns:
Version: 1.2.1
GitCommit: 09e31e92fa3d2a1d3ca261adaeb012c8d75a8194
+ systemctl --user enable docker.service
Created symlink '/home/kasutaja/.config/systemd/user/default.target.wants/docker.service' → '/home/kasutaja/.config/systemd/user/docker.service'.
[INFO] Installed docker.service successfully.
[INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service`
[INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger kasutaja`
[INFO] Creating CLI context "rootless"
Successfully created context "rootless"
[INFO] Using CLI context "rootless"
Current context is now "rootless"
[INFO] Make sure the following environment variable(s) are set (or add them to ~/.bashrc):
export PATH=/usr/bin:$PATH
[INFO] Some applications may require the following environment variable too:
export DOCKER_HOST=unix:///run/user/1000/docker.sock
Kasutamine
rootless konteineri käivitamiseks sobib öelda
kasutaja@dh-minio-01:~$ docker run -d --rm --name nginx-01 -p 8081:80 nginx
tulemusena tekivad sellised protsessid
kasutaja@dh-minio-01:~$ ps auxf | egrep "kasutaja|nginx" root 2081 0.0 0.2 19784 12876 ? Ss 14:53 0:00 \_ sshd-session: kasutaja [priv] kasutaja 2102 0.2 0.1 19944 7420 ? S 14:53 0:00 \_ sshd-session: kasutaja@pts/0 kasutaja 2161 0.0 0.0 9080 5884 pts/0 Ss 14:53 0:00 \_ -bash kasutaja 2490 0.0 0.0 9936 4680 pts/0 R+ 14:54 0:00 \_ ps auxf kasutaja 2491 0.0 0.0 6520 2296 pts/0 S+ 14:54 0:00 \_ grep -E kasutaja|nginx kasutaja 2086 0.1 0.2 22160 12324 ? Ss 14:53 0:00 /usr/lib/systemd/systemd --user kasutaja 2088 0.0 0.0 24620 3844 ? S 14:53 0:00 \_ (sd-pam) kasutaja 2097 0.0 0.2 1713992 17724 ? Ssl 14:53 0:00 \_ rootlesskit --state-dir=/run/user/1000/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh kasutaja 2113 0.0 0.2 1935188 14796 ? Sl 14:53 0:00 | \_ /proc/self/exe --state-dir=/run/user/1000/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh kasutaja 2140 0.2 1.4 2094264 89080 ? Sl 14:53 0:00 | | \_ dockerd kasutaja 2166 0.2 0.9 1793652 54648 ? Ssl 14:53 0:00 | | \_ containerd --config /run/user/1000/docker/containerd/containerd.toml kasutaja 2439 0.0 0.1 1599260 6548 ? Sl 14:53 0:00 | | \_ /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 8081 -container-ip 172.17.0.2 -container-port 80 -use-listen-fd kasutaja 2445 0.0 0.1 1746724 6632 ? Sl 14:53 0:00 | | \_ /usr/bin/docker-proxy -proto tcp -host-ip ::1 -host-port 8081 -container-ip 172.17.0.2 -container-port 80 -use-listen-fd kasutaja 2132 0.0 0.0 6160 3404 ? S 14:53 0:00 | \_ slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp 2113 tap0 kasutaja 2389 0.0 0.2 1235348 12708 ? Sl 14:53 0:00 \_ /usr/bin/containerd-shim-runc-v2 -namespace moby -id 9bb6eeb480cef2ad0971629fa6720c3664b2185e8a83babdd7dd214321cc3449 -address /run/user/1000/docker/containerd/containerd.sock kasutaja 2416 0.0 0.1 14860 8892 ? Ss 14:53 0:00 | \_ nginx: master process nginx -g daemon off; 100100 2486 0.0 0.0 15316 3888 ? S 14:53 0:00 | \_ nginx: worker process 100100 2487 0.0 0.0 15316 3832 ? S 14:53 0:00 | \_ nginx: worker process kasutaja 2408 0.0 0.0 8196 4512 ? Ss 14:53 0:00 \_ /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
kus
- dockerd jt protsesside omanik on kasutaja 'kasutaja'
- konteineri sees töötava root kaustaja protsessi kasutajaks host peal on kasutaja 'kasutaja'
- konteineri sees töötava tavakasutaja protsessi kasutajaks host peal on kasutaja uid=100100
- host peal kuulab rootlesskit protsess, sisuliselt töötab host - container vahendamisega slirp4netns tarkvara
subkasutaja-group teemaga tegeleb uidmap
kasutaja@dh-minio-01:~$ cat /etc/subuid /etc/subgid kasutaja:100000:65536 kasutaja:100000:65536
exposed pordiga tegeleb rootlesskit protsess
kasutaja@dh-minio-01:~$ netstat -lnpt ... Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:8081 0.0.0.0:* LISTEN 963/rootlesskit tcp6 0 0 :::22 :::* LISTEN - tcp6 0 0 :::8081 :::* LISTEN 963/rootlesskit
Konteineris on L2 võrguliides
kasutaja@dh-minio-01:~$ docker exec -ti nginx-01 ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host proto kernel_lo
valid_lft forever preferred_lft forever
2: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether ee:7a:2f:a7:a8:85 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
host peal puudub L2 bridge
root@dh-minio-01:~# brctl show root@dh-minio-01:~#
Tunnistus sellest, et liiklust konteineri ja ümbruse vahel käib läbi slirp4netns protsessi, pingimise ajal
root@dh-minio-01:~# strace -p 2132
strace: Process 2132 attached
restart_syscall(<... resuming interrupted poll ...>) = 0
poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 0 (Timeout)
poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 0 (Timeout)
poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 0 (Timeout)
poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 0 (Timeout)
poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 0 (Timeout)
poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 0 (Timeout)
poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 0 (Timeout)
poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 1 ([{fd=6, revents=POLLIN}])
read(6, "RU\n\0\2\2\2565a\276^!\10\0E\0\0T\211\355@\0?\1\225H\n\0\2d\10\10"..., 65536) = 98
socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC, IPPROTO_ICMP) = 3
sendto(3, "\10\0I\304\0z\0\1\377\332\334i\0\0\0\0\4\251\16\0\0\0\0\0\20\21\22\23\24\25\26\27"..., 64, 0, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("8.8.8.8")}, 16) = 64
poll([{fd=6, events=POLLIN|POLLHUP}, {fd=3, events=POLLIN|POLLERR|POLLHUP}], 2, 499) = 1 ([{fd=3, revents=POLLIN}])
recvfrom(3, "\0\0R:\0\4\0\1\377\332\334i\0\0\0\0\4\251\16\0\0\0\0\0\20\21\22\23\24\25\26\27"..., 65500, 0, NULL, NULL) = 64
write(6, "\2565a\276^!RU\n\0\2\2\10\0E\0\0T\v\22@\0\377\1T#\10\10\10\10\n\0"..., 98) = 98
close(3) = 0
poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 1 ([{fd=6, revents=POLLIN}])
read(6, "RU\n\0\2\2\2565a\276^!\10\0E\0\0T\212&@\0?\1\225\17\n\0\2d\10\10"..., 65536) = 98
socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC, IPPROTO_ICMP) = 3
sendto(3, "\10\0\20\276\0z\0\2\0\333\334i\0\0\0\0<\256\16\0\0\0\0\0\20\21\22\23\24\25\26\27"..., 64, 0, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("8.8.8.8")}, 16) = 64
poll([{fd=6, events=POLLIN|POLLHUP}, {fd=3, events=POLLIN|POLLERR|POLLHUP}], 2, 499) = 1 ([{fd=3, revents=POLLIN}])
recvfrom(3, "\0\0\0313\0\5\0\2\0\333\334i\0\0\0\0<\256\16\0\0\0\0\0\20\21\22\23\24\25\26\27"..., 65500, 0, NULL, NULL) = 64
write(6, "\2565a\276^!RU\n\0\2\2\10\0E\0\0T\v\23@\0\377\1T\"\10\10\10\10\n\0"..., 98) = 98
close(3) = 0
poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 0 (Timeout)
poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000^Cstrace: Process 2132 detached
Kasulikud lisamaterjalid
- TODO
