* Fixed rootlesskit binary path, mention daemon restart
`rootlesskit` lives at `/usr/bin/rootlesskit`. After setting `CAP_NET_BIND_SERVICE` capability daemon has to be restarted.
* Changed rootlesskit binary path to be dynamically resolved
The SELinux workaround for `/run/xtables.lock` is no longer needed
since Docker 20.10.8 (moby/moby PR 42462)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
- sysctl `kernel.unprivileged_userns_clone=1` is no longer needed
- Recommend fuse-overlayfs.
Debian kernel has modprobe option `permit_mounts_in_userns=1` but
still unstable (moby/moby issue 42302)
- Now apt repo has relatively recent version of slirp4netns (1.0.1)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
- Add missing code-hints (console, yaml)
- Consistently add an empty line after code-blocks
- Combine some examples where the output and the command were
put in separate blocks. With the "console" code-hint, this
is no longer nescessary.
- fix indentation in cloud/ecs-integration.md, which caused the
numbered-list to be interrupted.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Added .md files for SLES and RHEL engine installation. Added indexing to _data/toc.yaml and engine/install/index.md. Modified engine/install/index.md, includes/install-script.md, engine/security/rootless.md, storage/storagedriver/device-mapper-driver.md, and storage/storagedriver/select-storage-driver.md to add info for added RHEL and SLES support. Modified engine/install/ubuntu.md to add s390x repos and other info. Added tab target for RHEL and SLES to engine/security/rootless.md along with other info.
Signed-off-by: Nirman Narang <narang@us.ibm.com>
NFS mounts are not currently supported for rootless data-root so there should probably be a note about it so no one gets confused when it doesn't work.
Errors for running rootless containers when your data-root is an NFS mount look like:
```
docker: failed to register layer: ApplyLayer exit status 1 stdout: stderr: open /root/.bash_logout: permission denied.
```
* Workaround for outdated slirp4netns on debian
I had issue on debian 11 where the package on the
main apt repositories was too old. This provides workaround, by
adding the testing repos to sources list then upgrading slirp4netns
* pr review
- add console tag
- add newline before console code block
- remove the installation instructions to `slirp4netns` and link to the releases page, which will have it anyway.
* pr review
- add in suggested comment about vpnkit
- btrfs is now supported (moby/moby PR 42253)
- CLI context "rootless" is now created by default (moby/moby PR 42109)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
= _includes/install-script.md, engine/install/linux-postinstall.md =
- Remove "Rootless mode is currently available as an experimental feature."
Close issue 12050
= engine/security/rootless.md =
== "Prerequiresites" section ==
- Remove information about old distros (Debian 9, CentOS 7.5-7.6)
== "Distribution-specific hint" section ==
- Tabified (`<div class="tab-content" />`)
== "Known limitations" section ==
- Kernel 5.11 supports rootless overlayfs, without the Ubuntu/Debian patch.
== "Install" section ==
- Promote RPM/DEB installation over TGZ installation.
See docker/roadmap issue 188
== "Uninstall" section ==
- Add "Uninstall" section.
Close issue 12053
== "Usage" section ==
- Added more information about systemd
- Move `nsenter` tips to "Tips for debugging" subsection under "Troubleshooting" section
== "Best practice" section ==
- Remove guide for `lxc-user-nic` network driver due to immaturity.
Will be brought back in future.
See rootless-containers/rootlesskit issue 138 .
== "Troubleshooting" section ==
- Add a guide for "can't open lock file /run/xtables.lock: Permission denied" (SELinux).
See moby/moby issue 41230
- Add a guide for "failed to register layer: ApplyLayer exit status 1 ..." (NFS).
Close docker/for-linux issue 1172
- Improve guides for slirp4netns.
- Remove v19.03 information (e.g., "cgroup v2 is unsupported, use cgroup v1")
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* Docker now supports cgroup v2 (both rootful and rootless)
* Rootless mode graduated from experimental
* New storage driver: fuse-overlayfs
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
See https://web.dev/external-anchors-use-rel-noopener/
Using noopener, as that addresses the security issue. "noreferer" blocks
the REFERER header, which may still be useful for some target URLs.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* Add Ubuntu 20.04
* Remove Fedora 30 (EOL)
* `docker run --net=host` does not work in the most expected way
* Allow installation as the root
* Nightly channel
* `docker context create rootless`
* `DOCKER_HOST=ssh://...`
* Alternatives to cgroup flags (`docker run --cpus --memory --pids-limit`)
* A bunch of troubleshooting tips
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* Removed is from line 80
Removed is from line 80 as this is not required
* changed text to link at line 129
changed text to link at line 129 to make it easy for user to navigate
* changed the URL to link
changed the URL to link for easy navigation
* added these before flags in line 186
added these before flags in line 186
Co-Authored-By: Sebastiaan van Stijn <thaJeztah@users.noreply.github.com>
Add "Run the Docker daemon as a non-root user (Rootless mode)":
`engine/security/rootless.md`
The content is based on https://github.com/moby/moby/blob/master/docs/rootless.md
`rootless.md` in `moby/moby` will be replaced of the link to
the `docs.docker.com` page compiled from `rootless.md` in this repo.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Sebastiaan van Stijn
Justin Chadwell
Sebastiaan van Stijn
Fabio Guarini
Kevin Köllmann
Akihiro Suda
QQ喵
anujajakhade
Nirman Narang
Eli Uriegas
Jem Bishop
Aaron Stults
Fabian M
Ryo Ota
Usha Mandya
Flavien Berwick
ajay143444
scott-vsi
pcworld
LORIS INTERGALACTIQUE