gpt4 book ai didi

docker - 在没有 root 访问权限的服务器上安装 Docker 二进制文件

转载 作者:行者123 更新时间:2023-12-02 18:14:40 26 4
gpt4 key购买 nike

我有一个由提供商提供的服务器,没有任何 root 访问权限。无法在/etc/或/var/lib/docker 中编写脚本。未安装 Docker。我的想法是在目录中安装和运行 docker 二进制文件。我将使用 shell 脚本安装 docker。脚本应该可以是 从没有 root 访问权限的任何目录启动 .

脚本启动时 ./docker/dockerd --data-root=docker/var/lib/docker我收到此错误消息。

WARN[2018-11-17T18:26:19.492488618+01:00] Error while setting daemon root propagation, this is not generally critical but may cause some functionality to not work or fallback to less desirable behavior dir=docker/var/lib/docker error="error getting daemon root's parent mount: open /proc/self/mountinfo: permission denied" Error starting daemon: open /var/run/docker.pid: permission denied



dockerd 有这么多参数。这里是pidfile: -p | **--pidfile*[=/var/run/docker.pid]

http://manpages.ubuntu.com/manpages/cosmic/man8/dockerd.8.html

感谢您的帮助
#!/bin/bash

DOCKER_RELEASE='docker-18.06.1-ce.tgz'

wget https://download.docker.com/linux/static/stable/x86_64/$DOCKER_RELEASE
tar xzvf $DOCKER_RELEASE
rm $DOCKER_RELEASE

./docker/dockerd --data-root=docker/var/lib/docker

最佳答案

正如今天(2019 年 2 月 4 日)Akihiro Suda 所宣布的那样:

Finally, it is now possible to run upstream dockerd as an unprivileged user!



moby/moby PR 38050 :

Allow running dockerd in an unprivileged user namespace (rootless mode).
Close #37375 "Proposal: allow running dockerd as an unprivileged user (aka rootless mode)", opened in June 2018

No SETUID/SETCAP binary is required, except newuidmap and newgidmap.

How I did it:

By using user_namespaces(7), mount_namespaces(7), network_namespaces(7), and slirp4netns.



警告,有限制:

限制:

  • Only vfs graphdriver is supported.
    However, on Ubuntu and a few distros, overlay2 and overlay are also supported.
    Starting with Linux 4.18, we will be also able to implement FUSE snapshotters.


(请参阅 Graphdriver plugins ,其中 Docker 图形驱动程序插件使管理员能够使用外部/进程外图形驱动程序与 Docker 引擎一起使用。
这是使用内置存储驱动程序的替代方法,例如 aufs/overlay/devicemapper/btrfs。)

  • Cgroups (including docker top) and AppArmor are disabled at the moment.
    In future, Cgroups will be optionally available when delegation permission is configured on the host.
  • Checkpoint is not supported at the moment.
  • Running rootless dockerd in rootless/rootful dockerd is also possible, but not fully tested.


文档现在位于 docs/rootless.md :

注意以下 要求 :

  • newuidmap and newgidmap need to be installed on the host.
    These commands are provided by the uidmap package on most distros.

  • /etc/subuid and /etc/subgid should contain >= 65536 sub-IDs.
    e.g. penguin:231072:65536.



那是:

$ id -u
1001
$ whoami
penguin
$ grep ^$(whoami): /etc/subuid
penguin:231072:65536
$ grep ^$(whoami): /etc/subgid
penguin:231072:65536

Either slirp4netns (v0.3+) or VPNKit needs to be installed.
slirp4netns is preferred for the best performance.



你将不得不修改你的脚本:

You need to run dockerd-rootless.sh instead of dockerd.

$ dockerd-rootless.sh --experimental"


2019 年 5 月更新: Tõnis Tiigi确实使用“ Experimenting with Rootless Docker ”探索了这个无根选项:

User namespaces map a range of user ID-s so that the root user in the inner namespace maps to an unprivileged range in the parent namespace.
A fresh process in user namespace also picks up a full set of process capabilities.

The rootless mode works in a similar way, except we create a user namespace first and start the daemon already in the remapped namespace. The daemon and the containers will both use the same user namespace that is different from the host one.



https://cdn-images-1.medium.com/max/1636/1*SfAokC2YQ-f04Wc2WhSRCw.png

Although Linux allows creating user namespaces without extended privileges these namespaces only map a single user and therefore do not work with many current existing containers.
To overcome that, rootless mode has a dependency on the uidmap package that can do the remapping of users for us. The binaries in uidmap package use setuid bit (or file capabilities) and therefore always run as root internally.

To make the launching of different namespaces and integration with uidmap simpler Akihiro created a project called rootlesskit.
Rootlesskit also takes care of setting up networking for rootless containers. By default rootless docker uses networking based on moby/vpnkit project that is also used for networking in the Docker Desktop products.
Alternatively, users can install slirp4netns and use that instead.



再次:

Caveats:

Some examples of things that do not work on rootless mode are cgroups resource controls, apparmor security profiles, checkpoint/restore, overlay networks etc.
Exposing ports from containers currently requires manual socat helper process.

Only Ubuntu based distros support overlay filesystems in rootless mode.
For other systems, rootless mode uses vfs storage driver that is suboptimal in many filesystems and not recommended for production workloads.

关于docker - 在没有 root 访问权限的服务器上安装 Docker 二进制文件,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/53353856/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com