Docker kasutamine operatsioonisüsteemiga Debian - rootless
Allikas: Imre kasutab arvutit
Mine navigeerimisribaleMine otsikasti
Sissejuhatus
TODO
Ettevalmistamine
Paigaldatakse Debian v. 13 ning tarkvara docker-ce tootja repost, 20260413 on v. 1.29
# apt-get install uidmap # modprobe nf_tables bridge-utils
Ning tekitamine olukorra, et arvutis on paigaldatud docker-ce tarkvara, aga ühtegi protsessi ei ole käivitatud
# systemctl disable --now docker.service docker.socket # rm /var/run/docker.sock # reboot
Rootless docker kasutamine
Logitakse süsteemi sisse kasutajana (mitte 'su - kaustaja') kuna on oluline 'systemd --user' keskkonna jaoks olulised omadused, nt
$ env | grep XDG $ XDG_RUNTIME_DIR=/run/user/1000
Paigaldame-seadistame-käivitame rootless docker lahenduse
kasutaja@dh-minio-01:~$ dockerd-rootless-setuptool.sh install
[INFO] Creating /home/kasutaja/.config/systemd/user/docker.service
[INFO] starting systemd service docker.service
+ systemctl --user start docker.service
+ sleep 3
+ systemctl --user --no-pager --full status docker.service
● docker.service - Docker Application Container Engine (Rootless)
Loaded: loaded (/home/kasutaja/.config/systemd/user/docker.service; disabled; preset: enabled)
Active: active (running) since Mon 2026-04-13 14:40:20 EEST; 3s ago
Invocation: 8f913ff96e234029b5789105d9cdeb2b
Docs: https://docs.docker.com/go/rootless/
Main PID: 963 (rootlesskit)
Tasks: 34
Memory: 148M (peak: 148.5M)
CPU: 279ms
CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/docker.service
├─ 963 rootlesskit --state-dir=/run/user/1000/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
├─ 974 /proc/self/exe --state-dir=/run/user/1000/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
├─ 995 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp 974 tap0
├─1003 dockerd
└─1024 containerd --config /run/user/1000/docker/containerd/containerd.toml
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.010977863+03:00" level=warning msg="WARNING: No io.max (rbps) support"
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.010983413+03:00" level=warning msg="WARNING: No io.max (wbps) support"
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.010988243+03:00" level=warning msg="WARNING: No io.max (riops) support"
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.010992940+03:00" level=warning msg="WARNING: No io.max (wiops) support"
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.011008069+03:00" level=info msg="Docker daemon" commit=daa0cb7 containerd-snapshotter=true storage-driver=overlayfs version=29.4.0
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.011096574+03:00" level=info msg="Initializing buildkit"
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.147325130+03:00" level=info msg="Completed buildkit initialization"
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.154119507+03:00" level=info msg="Daemon has completed initialization"
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.154203253+03:00" level=info msg="API listen on /run/user/1000/docker.sock"
Apr 13 14:40:20 dh-minio-01 systemd[803]: Started docker.service - Docker Application Container Engine (Rootless).
+ DOCKER_HOST=unix:///run/user/1000/docker.sock /usr/bin/docker version
Client: Docker Engine - Community
Version: 29.4.0
API version: 1.54
Go version: go1.26.1
Git commit: 9d7ad9f
Built: Tue Apr 7 08:35:38 2026
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 29.4.0
API version: 1.54 (minimum version 1.40)
Go version: go1.26.1
Git commit: daa0cb7
Built: Tue Apr 7 08:35:38 2026
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v2.2.2
GitCommit: 301b2dac98f15c27117da5c8af12118a041a31d9
runc:
Version: 1.3.4
GitCommit: v1.3.4-0-gd6d73eb8
docker-init:
Version: 0.19.0
GitCommit: de40ad0
rootlesskit:
Version: 2.3.6
ApiVersion: 1.1.1
NetworkDriver: slirp4netns
PortDriver: builtin
StateDir: /run/user/1000/dockerd-rootless
slirp4netns:
Version: 1.2.1
GitCommit: 09e31e92fa3d2a1d3ca261adaeb012c8d75a8194
+ systemctl --user enable docker.service
Created symlink '/home/kasutaja/.config/systemd/user/default.target.wants/docker.service' → '/home/kasutaja/.config/systemd/user/docker.service'.
[INFO] Installed docker.service successfully.
[INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service`
[INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger kasutaja`
[INFO] Creating CLI context "rootless"
Successfully created context "rootless"
[INFO] Using CLI context "rootless"
Current context is now "rootless"
[INFO] Make sure the following environment variable(s) are set (or add them to ~/.bashrc):
export PATH=/usr/bin:$PATH
[INFO] Some applications may require the following environment variable too:
export DOCKER_HOST=unix:///run/user/1000/docker.sock
Kasutamine
rootless konteineri käivitamiseks sobib öelda
kasutaja@dh-minio-01:~$ docker run -d --rm --name nginx-01 -p 8081:80 nginx
tulemusena tekivad sellised protsessid
kasutaja@dh-minio-01:~$ ps U kasutaja
PID TTY STAT TIME COMMAND
803 ? Ss 0:00 /usr/lib/systemd/systemd --user
805 ? S 0:00 (sd-pam)
899 ? S 0:00 sshd-session: kasutaja@pts/0
900 pts/0 Ss 0:00 -bash
963 ? Ssl 0:00 rootlesskit --state-dir=/run/user/1000/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopba
974 ? Sl 0:00 /proc/self/exe --state-dir=/run/user/1000/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loo
995 ? S 0:00 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp 974 tap0
1003 ? Sl 0:00 dockerd
1024 ? Ssl 0:02 containerd --config /run/user/1000/docker/containerd/containerd.toml
1397 ? Ss 0:00 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
1511 ? Sl 0:00 /usr/bin/containerd-shim-runc-v2 -namespace moby -id 93cca0a8735da63c32ae4e132407657203e3589c452069c46d2653c968063b17 -address /run/user/1000/docker/containerd/c
1537 ? Ss 0:00 nginx: master process nginx -g daemon off;
1557 ? Sl 0:00 /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 8081 -container-ip 172.17.0.2 -container-port 80 -use-listen-fd
1564 ? Sl 0:00 /usr/bin/docker-proxy -proto tcp -host-ip ::1 -host-port 8081 -container-ip 172.17.0.2 -container-port 80 -use-listen-fd
kus
- host peal kuulab rootlesskit protsess, sisuliselt töötab host - container vahendamisega slirp4netns tarkvara
exposed pordiga tegeleb rootlesskit protsess
kasutaja@dh-minio-01:~$ netstat -lnpt ... Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:8081 0.0.0.0:* LISTEN 963/rootlesskit tcp6 0 0 :::22 :::* LISTEN - tcp6 0 0 :::8081 :::* LISTEN 963/rootlesskit
Konteineris on L2 võrguliides
kasutaja@dh-minio-01:~$ docker exec -ti nginx-01 ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host proto kernel_lo
valid_lft forever preferred_lft forever
2: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether ee:7a:2f:a7:a8:85 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
host peal puudub L2 bridge
root@dh-minio-01:~# brctl show root@dh-minio-01:~#
Kasulikud lisamaterjalid
- TODO
