我按照指南https://docs.docker.com/engine/security/rootless/在 Debian(测试)机器上运行 Docker。在偶然发现 Debian 中某些路径配置不正确(已解决sudo ln -s /usr/share/docker.io/contrib/dockerd-rootless* /usr/bin/)后,它似乎可以正常工作:
$ dockerd-rootless-setuptool.sh install
[INFO] Creating /home/tobias/.config/systemd/user/docker.service
[INFO] starting systemd service docker.service
+ systemctl --user start docker.service
+ sleep 3
+ systemctl --user --no-pager --full status docker.service
● docker.service - Docker Application Container Engine (Rootless)
Loaded: loaded (/home/tobias/.config/systemd/user/docker.service; disabled; preset: enabled)
Active: active (running) since Sun 2023-02-05 22:32:06 CET; 3s ago
Docs: https://docs.docker.com/go/rootless/
Main PID: 15248 (rootlesskit)
Tasks: 47
Memory: 55.4M
CPU: 1.581s
CGroup: /user.slice/user-1000.slice/[email protected]/app.slice/docker.service
├─15248 rootlesskit --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
├─15259 /proc/self/exe --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
├─15281 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp 15259 tap0
├─15288 dockerd
└─15311 containerd --config /run/user/1000/docker/containerd/containerd.toml --log-level info
Feb 05 22:32:07 tobiasZenbook dockerd-rootless.sh[15288]: time="2023-02-05T22:32:07.253518391+01:00" level=warning msg="Unable to find io controller"
Feb 05 22:32:07 tobiasZenbook dockerd-rootless.sh[15288]: time="2023-02-05T22:32:07.253631034+01:00" level=warning msg="Unable to find cpuset controller"
Feb 05 22:32:07 tobiasZenbook dockerd-rootless.sh[15288]: time="2023-02-05T22:32:07.254279197+01:00" level=info msg="Loading containers: start."
Feb 05 22:32:07 tobiasZenbook dockerd-rootless.sh[15288]: time="2023-02-05T22:32:07.285126244+01:00" level=warning msg="Running modprobe bridge br_netfilter failed with message: modprobe: ERROR: could not insert 'br_netfilter': Operation not permitted\ninsmod /lib/modules/6.1.0-3-amd64/kernel/net/bridge/br_netfilter.ko \n, error: exit status 1"
Feb 05 22:32:07 tobiasZenbook dockerd-rootless.sh[15288]: time="2023-02-05T22:32:07.285237875+01:00" level=info msg="skipping firewalld management for rootless mode"
Feb 05 22:32:07 tobiasZenbook dockerd-rootless.sh[15288]: time="2023-02-05T22:32:07.882271593+01:00" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address"
Feb 05 22:32:08 tobiasZenbook dockerd-rootless.sh[15288]: time="2023-02-05T22:32:08.100180638+01:00" level=info msg="Loading containers: done."
Feb 05 22:32:08 tobiasZenbook dockerd-rootless.sh[15288]: time="2023-02-05T22:32:08.168790703+01:00" level=info msg="Docker daemon" commit=6051f14 graphdriver(s)=fuse-overlayfs version=20.10.23+dfsg1
Feb 05 22:32:08 tobiasZenbook dockerd-rootless.sh[15288]: time="2023-02-05T22:32:08.169051618+01:00" level=info msg="Daemon has completed initialization"
Feb 05 22:32:08 tobiasZenbook dockerd-rootless.sh[15288]: time="2023-02-05T22:32:08.200846716+01:00" level=info msg="API listen on /run/user/1000/docker.sock"
+ DOCKER_HOST=unix:///run/user/1000/docker.sock /usr/bin/docker version
Client:
Version: 20.10.23+dfsg1
API version: 1.41
Go version: go1.19.5
Git commit: 7155243
Built: Fri Jan 20 08:04:03 2023
OS/Arch: linux/amd64
Context: default
Experimental: true
Server:
Engine:
Version: 20.10.23+dfsg1
API version: 1.41 (minimum version 1.12)
Go version: go1.19.5
Git commit: 6051f14
Built: Fri Jan 20 08:04:03 2023
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.16~ds1
GitCommit: 1.6.16~ds1-1
runsc:
Version: 0.0~20221219.0
GitCommit:
docker-init:
Version: 0.19.0
GitCommit:
+ systemctl --user enable docker.service
Created symlink /home/tobias/.config/systemd/user/default.target.wants/docker.service → /home/tobias/.config/systemd/user/docker.service.
[INFO] Installed docker.service successfully.
[INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service`
[INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger tobias`
[INFO] Creating CLI context "rootless"
Successfully created context "rootless"
[INFO] Use CLI context "rootless"
Current context is now "rootless"
[INFO] Make sure the following environment variables are set (or add them to ~/.bashrc):
export PATH=/usr/bin:$PATH
Some applications may require the following environment variable too:
export DOCKER_HOST=unix:///run/user/1000/docker.sock
但我仍然无法运行容器:
$ docker run --rm hello-world
docker: Error response from daemon: failed to create shim task: OCI runtime create failed: creating container: systemd error: Interactive authentication required.: unknown.
这是相应的系统日志:
docker0: port 1(veth2258e10) entered blocking state
docker0: port 1(veth2258e10) entered disabled state
device veth2258e10 entered promiscuous mode
time="2023-02-05T22:36:35.627254114+01:00" level=info msg="loading plugin \"io.containerd.event.v1.publisher\"..." runtime=io.containerd.runc.v2 type=io.containerd.event.v1
time="2023-02-05T22:36:35.627392433+01:00" level=info msg="loading plugin \"io.containerd.internal.v1.shutdown\"..." runtime=io.containerd.runc.v2 type=io.containerd.internal.v1
time="2023-02-05T22:36:35.627412786+01:00" level=info msg="loading plugin \"io.containerd.ttrpc.v1.task\"..." runtime=io.containerd.runc.v2 type=io.containerd.ttrpc.v1
time="2023-02-05T22:36:35.627737169+01:00" level=info msg="starting signal loop" namespace=moby path=/run/.ro724997694/user/1000/docker/containerd/daemon/io.containerd.runtime.v2.task/moby/4ae34c36cff9d6643c8e9b4dd7b6991809df1129421729f66e9ea96ebd708c42 pid=20080 runtime=io.containerd.runc.v2
time="2023-02-05T22:36:35.826413593+01:00" level=info msg="shim disconnected" id=4ae34c36cff9d6643c8e9b4dd7b6991809df1129421729f66e9ea96ebd708c42
time="2023-02-05T22:36:35.826596345+01:00" level=warning msg="cleaning up after shim disconnected" id=4ae34c36cff9d6643c8e9b4dd7b6991809df1129421729f66e9ea96ebd708c42 namespace=moby
time="2023-02-05T22:36:35.826645688+01:00" level=info msg="cleaning up dead shim"
time="2023-02-05T22:36:35.891971447+01:00" level=warning msg="cleanup warnings time=\"2023-02-05T22:36:35+01:00\" level=info msg=\"starting signal loop\" namespace=moby pid=20107 runtime=io.containerd.runc.v2\ntime=\"2023-02-05T22:36:35+01:00\" level=warning msg=\"failed to read init pid file\" error=\"open /run/.ro724997694/user/1000/docker/containerd/daemon/io.containerd.runtime.v2.task/moby/4ae34c36cff9d6643c8e9b4dd7b6991809df1129421729f66e9ea96ebd708c42/init.pid: no such file or directory\" runtime=io.containerd.runc.v2\n"
time="2023-02-05T22:36:35.893274705+01:00" level=error msg="copy shim log" error="read /proc/self/fd/13: file already closed"
time="2023-02-05T22:36:35.894254094+01:00" level=error msg="stream copy error: reading from a closed fifo"
time="2023-02-05T22:36:35.894632438+01:00" level=error msg="stream copy error: reading from a closed fifo"
docker0: port 1(veth2258e10) entered disabled state
device veth2258e10 left promiscuous mode
docker0: port 1(veth2258e10) entered disabled state
time="2023-02-05T22:36:36.076971530+01:00" level=error msg="4ae34c36cff9d6643c8e9b4dd7b6991809df1129421729f66e9ea96ebd708c42 cleanup: failed to delete container from containerd: no such container"
time="2023-02-05T22:36:36.093375114+01:00" level=error msg="Handler for POST /v1.41/containers/4ae34c36cff9d6643c8e9b4dd7b6991809df1129421729f66e9ea96ebd708c42/start returned error: failed to create shim task: OCI runtime create failed: creating container: systemd error: Interactive authentication required.: unknown"
我已尝试过两种runc运行runsc方式,但并没有什么区别。
$ docker info
Client:
Context: rootless
Debug Mode: false
Server:
Containers: 7
Running: 0
Paused: 0
Stopped: 7
Images: 2
Server Version: 20.10.23+dfsg1
Storage Driver: fuse-overlayfs
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc runsc
Default Runtime: runsc
Init Binary: docker-init
containerd version: 1.6.16~ds1-1
runc version:
init version:
Security Options:
seccomp
Profile: default
rootless
cgroupns
Kernel Version: 6.1.0-3-amd64
Operating System: Debian GNU/Linux bookworm/sid
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 15.52GiB
Docker Root Dir: /home/tobias/.local/share/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No cpuset support
WARNING: No io.weight support
WARNING: No io.weight (per device) support
WARNING: No io.max (rbps) support
WARNING: No io.max (wbps) support
WARNING: No io.max (riops) support
WARNING: No io.max (wiops) support
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
答案1
我不确定 cgroups2 的设置是否正确,因此作为修补程序,我切换到了 cgroup。
- 将 GRUB_CMDLINE_LINUX="systemd.unified_cgroup_hierarchy=0" 添加至 /etc/default/grub。
- 更新 grub
- systemctl 重启-i
此后,“docker info”命令的“安全选项”中不再出现“cgroupns”,因此可以运行容器。