Documentation officiel de Docker Docker Rootless Docs
Article sur la différence entre le mode Rootless de Docker et la sécurité basique appliquée à des conteneurs Article Medium
Scénario Katacoda du mode Rootless Tuto
Démonstration à la DockerCon
Le mode Rootless est expérimenter avec un serveur Linux Debian 10.
groupadd pic --gid 65536
adduser pic --uid 231072 --gid 65536
echo "pic:100000:65536" >> /etc/subuid
echo "pic:100000:65536" >> /etc/subgid
echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.d/99-sysctl.conf
sysctl --system
su pic
id -u
whoami
grep ^$(whoami): /etc/subuid
grep ^$(whoami): /etc/subgid
curl -fsSL https://get.docker.com/rootless | sh
echo "export XDG_RUNTIME_DIR=/run/user/$(id -u)" $HOME/.bashrc
echo "export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock" $HOME/.bashrc
echo "export PATH=/home/mcalves/bin:$PATH" $HOME/.bashrc
echo "export COMPOSE_HTTP_TIMEOUT=200" $HOME/.bashrc
source $HOME/.bashrc
mkdir -p $HOME/.config/systemd/user/
vim $HOME/.config/systemd/user/docker.service
[Unit]
Description=Docker Application Container Engine (Rootless)
Documentation=https://docs.docker.com
[Service]
Environment=PATH=$HOME/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ExecStart=$HOME/bin/dockerd-rootless.sh --experimental --storage-driver vfs
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
StartLimitBurst=3
StartLimitInterval=60s
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
Delegate=yes
Type=simple
[Install]
WantedBy=default.target
systemctl --user daemon-reload
systemctl --user enable docker
systemctl --user start docker
systemctl --user status docker
dockerd-rootless.sh --experimental --storage-driver vfs 2>&1 &
vim docker-compose.yml
version: "3.6"
services:
gitlab:
image: gitlab/gitlab-ce:12.10.3-ce.0
restart: unless-stopped
hostname: gitlab.example.com
container_name: 'gitlab'
ports:
- "9022:22"
- "9080:80"
volumes:
- gitlab-data:/var/opt/gitlab
- gitlab-logs:/var/log/gitlab
- gitlab-config:/etc/gitlab
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'http://IP_HOSTNAME'
# Add any other gitlab.rb configuration here, each on its own line
volumes:
gitlab-data:
gitlab-logs:
gitlab-config:
docker-compose up -d
Résultat attendu :
docker ps
mcalves@ats-linux-03:~/gitlab$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
868af07fe3d3 gitlab/gitlab-ce:12.10.3-ce.0 "/assets/wrapper" 16 hours ago Up 16 hours (healthy) 443/tcp, 0.0.0.0:9022->22/tcp, 0.0.0.0:9080->80/tcp gitlab
Résultat attendu :
ps aux | grep docker
root@ats-linux-03:~# ps aux | grep docker
mcalves 1411 0.0 0.0 110384 12160 ? Sl 05:06 0:00 rootlesskit --net=vpnkit --mtu=1500 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run /home/mcalves/bin/dockerd-rootless.sh --experimental --storage-driver vfs
mcalves 1420 0.0 0.0 110384 12888 ? Sl 05:06 0:00 /proc/self/exe --net=vpnkit --mtu=1500 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run /home/mcalves/bin/dockerd-rootless.sh --experimental --storage-driver vfs
mcalves 1455 1.2 0.9 940276 145860 ? Sl 05:06 2:39 dockerd --experimental --storage-driver vfs
mcalves 1468 0.3 0.2 702860 36004 ? Ssl 05:06 0:42 containerd --config /run/user/1000/docker/containerd/containerd.toml --log-level info
root 3259 0.0 0.0 6224 884 pts/1 S+ 08:43 0:00 grep docker
mcalves 14197 0.0 0.0 106632 8076 ? Sl 06:12 0:00 /home/mcalves/bin/rootlesskit-docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 8081 -container-ip 172.27.0.2 -container-port 8081
mcalves 14202 0.0 0.0 103324 5104 ? Sl 06:12 0:00 docker-proxy -container-ip 172.27.0.2 -container-port 8081 -host-ip 127.0.0.1 -host-port 8081 -proto tcp
mcalves 14211 0.0 0.0 107700 8168 ? Sl 06:12 0:06 containerd-shim -namespace moby -workdir /home/mcalves/.local/share/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/e2aaecf2a3a7b332e9caeb14b565f13309abb7cd618f3f9e0fb6adb1e36b41a3 -address /run/user/1000/docker/containerd/containerd.sock -containerd-binary /home/mcalves/bin/containerd -runtime-root /run/user/1000/docker/runtime-runc
mcalves 20096 0.0 0.0 108296 7836 ? Sl 06:50 0:00 /home/mcalves/bin/rootlesskit-docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 9080 -container-ip 172.23.0.2 -container-port 80
mcalves 20101 0.0 0.0 103580 5104 ? Sl 06:50 0:00 docker-proxy -container-ip 172.23.0.2 -container-port 80 -host-ip 127.0.0.1 -host-port 9080 -proto tcp
mcalves 20118 0.0 0.0 106632 8080 ? Sl 06:50 0:00 /home/mcalves/bin/rootlesskit-docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 9022 -container-ip 172.23.0.2 -container-port 22
mcalves 20123 0.0 0.0 103324 5044 ? Sl 06:50 0:00 docker-proxy -container-ip 172.23.0.2 -container-port 22 -host-ip 127.0.0.1 -host-port 9022 -proto tcp
mcalves 20132 0.0 0.0 109108 10156 ? Sl 06:50 0:01 containerd-shim -namespace moby -workdir /home/mcalves/.local/share/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/868af07fe3d39afb1e2bb12a5bb9b16c0fbb4fe69667598131b54a1a8094395f -address /run/user/1000/docker/containerd/containerd.sock -containerd-binary /home/mcalves/bin/containerd -runtime-root /run/user/1000/docker/runtime-runc