Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen der Seite angezeigt.

--- content:serverbasics:docker [2023/12/29 15:36] – [... and the permissions of the files] obel1x
+++ content:serverbasics:docker [2026/03/01 11:44] (aktuell) – [Fast Stop of all Containers] obel1x
@@ Zeile 1: / Zeile 1: @@
-====== Docker ======
+====== Docker (rootless) + Portainer ======
-Docker is a powerful solution for setting up Services. This on will give you hints how to setup Docker in a good way.
+Docker is a powerful solution for setting up Services. This short Introducion will give you hints how to setup Docker in a good way in userspace, so no root-access is needed for Docker.
-Currently i am Experimenting on that topic, so maybe this documentation will be ready to use, maybe not.
+Currently i am experimenting on that topic, so maybe this documentation will be ready to use, maybe not.
-===== Docker rootless =====
 Docker itself is nice, but it will run as root per default, which is a no-go at all. This will setup Docker in rootless- mode on OpenSuSE (currently Leap 15.5).
-==== Package ====
+__**Warning: This is a very strong advise NOT to use docker default in rootmode at all! **__  The reason is, that any service is able to talk to the Docker Daemon if there is a connection to the Docker socket in the Volumes (which some services require) - or simply if thers a bug somewhere. By that way, the Docker Container will be able to set up ANY service and bind ANY location on the Host, that the docker user may be able to see. So if the Service gets taken over and the service ist runnig as root… you know where you are.
-While Docker-Rootless is not in the main Repositories, first add the AddOn- Repository: ''[[https://download.opensuse.org/repositories/Virtualization:/containers/${releasever}/|https://download.opensuse.org/repositories/Virtualization:/containers/${releasever}/]]''
+So just: Don't set up Docker rootfull at all if possible - its even not neeeded nowadays.
-Then install the package ''docker-rootless-extras'' and its dependencies.
+===== Filesystem Layout =====
-==== User ====
-Create a new user and maybe give this user another home-directory, as it will store all files of docker.
+Mind, that at the time writing, ''overlay2'' is the way to go as storage driver in docker, but it only supports xfs as backing filesystems (with ''d_type=true'' which means ''ftype=1'' ) for full support.
-Let's say choose home ''/srv/docker-user ''for user ''docker''.
+I personally dislike xfs, especially while its not rubust and won't shrink. I use it anyway, because of its srong advise to do so - with kernel 5.19+ it should be possible to get overlay2 working on btrfs, but still there are things that may not work even with that kernel - in the worst case, docker is unable to unlink files, so there will be huge Containers and Volumes and maybe Services will break.
-Also it may be a good choice, not to have this user added to ''users'' group - choose ''docker'' as default group.
+So make sure, that the Home-Directory of you docker user is on XFS. The ftype is already ok on SuSE 15.5, check output of ''xfs_info <volumename>''.
-==== Install rootless Docker ====
-Warning: You CANNOT sudo to this user and install docker this way, because pam is not loaded when doing this. You need to:
+Warning: you may have umask set your way - i prefer 007 as written before. But if you change umask and permissions be very cautious, as docker uses userid- mapping and may change the permissions and ownersets of files in its directory to the subuserid.
+That may change the ownership in a way, that even the docker user on the host cannot access the Files, which is OK !
+__**STRONG WARNING: Don't change permissions or ownership of docker- directories on the Host directly as this will change them in the container, making them unavaiable and break your Services !!!**__
+__**The only way to manage Volume- File- Permissions is to bash inside the running container itself and to change them there (to the right values of course)!**__
+A short hint: Docker rootless uses Sub(g)uids, which is a feature of Linux. That means each user has a range of userids (quite a huge range) and groupid which the user may use. Those will be exclusive reserved for that user. But it does not mean, that the User can acces the Files created by those Subuids! Also the UIDs are onyl a number - not a real user in Linux having a username- They cannot be used to logon or to work with. Docker manages internally which Host-Subuserid is assigned to which caontainer and to which userid inside the running container/service. Inside the Container, you may become that user having a real username and a (different) uid.
+===== Which Devices / Raid- Level =====
+I strongly do not advise to use Raid5 with classical harddrives to run docker on it. If you plan to have large Data in /home/docker and you want to use xfs + Raid5 to better use your drive- space, than you should use another disc for the overlays of docker.
+For me, i switched to RAID1 on SSD an mounted that to /home/docker/.local - where all Docker files will be stored. Large Data is than stored somewhere else if needed.
+===== Packages NOT to install =====
+I had really a lot of troubles with the package Docker-Rootless in the AddOn- Repository: ''[[https://download.opensuse.org/repositories/Virtualization:/containers/${releasever}/|https://download.opensuse.org/repositories/Virtualization:/containers/${releasever}/]]'' while they are not installing docker the same way, that docker would do. For example they will not be installed in User-Subspace only, but will use systems Docker executables installed in global paths. This is a problem when using btrfs - as btrfs is not fully compatible with docker. So i won't use this any more.
+So i disabled the following packages and locked them to never install:
+  * docker
+  * docker-compose
+  * containerd
+Check out beneath for install the docker way.
+===== Docker- User =====
+Create a new **group**  called **docker**  and a new **user**  called **docker**. Make the user is in the **default group docker**.
+Attention: The Home Directory should be on a volume having XFS as btrfs or others are not fully supported right now (20.04.2024 - patches in new Kernel 5.19 are incoming, but this Kernel is not released until now and still there are some problems open in developement there).
+===== cGroups v2 =====
+OpenSuSE Leap 15.5 does not have cGroups v2 enabled, which are needed by docker.
+You may see a warning (later) when running ''docker info'':
+''WARNING: Running in rootless-mode without cgroups. To enable cgroups in rootless-mode, you need to boot the system in cgroup v2 mode.''
+According to this documentation [[https://rootlesscontaine.rs/getting-started/common/cgroup2/|https://rootlesscontaine.rs/getting-started/common/cgroup2/]] it needs to be enabled by appending the yast/bootloader command line with:
+''systemd.unified_cgroup_hierarchy=1''
+and also the delegation for the user of cpu is needed:
 <file>
+$ sudo mkdir -p /etc/systemd/system/user@.service.d
+$ cat <<EOF | sudo tee /etc/systemd/system/user@.service.d/delegate.conf
+[Service]
+Delegate=cpu cpuset io memory pids
+EOF
+$ sudo systemctl daemon-reload
+</file>
+after this, reboot and check if ''/sys/fs/cgroup/cgroup.controllers''  is present
+After installing docker (see beneath), check if ''docker info''  says:
+<file>
+Cgroup Driver: systemd
+Cgroup Version: 2
+</file>
+Than, its fine.
+===== Install rootless Docker =====
+Warning: You CANNOT sudo to the user and install docker, while logon via pam is needed, which is not when you sudo. You need to ssh into your machine, or yust logon in a usual way:
+<file>
 If you login in the system using either of
 - graphical session
@@ Zeile 35: / Zeile 103: @@
 </file>
-I chose to ssh into my machine directly:
+I chose to ssh into my machine directly, than check your umask to be secure and install docker like this:
-<file>
+<code>
-#> ssh localhost -l docker
+# ~> ssh localhost -l docker
-#> pwd
+Password:
-/srv/docker-user
+Have a lot of fun...
-#> dockerd-rootless-setuptool.sh check
+docker@pcserver2023:~> umask
-[INFO] Requirements are satisfied
-#> dockerd-rootless-setuptool.sh install
+docker@pcserver2023:~> curl -fsSL https://get.docker.com/rootless | FORCE_ROOTLESS_INSTALL=1 sh
-[INFO] Creating /srv/docker-user/.config/systemd/user/docker.service
+# Installing stable version 25.0.2
+# Executing docker rootless install script, commit: 3b2a83b
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+68.2M  100 68.2M    0     0  10.0M      0  0:00:06  0:00:06 --:--:-- 10.3M
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+19.7M  100 19.7M    0     0   9.7M      0  0:00:02  0:00:02 --:--:--  9.7M
++ PATH=/home/docker/bin:/home/docker/bin:/usr/local/bin:/usr/bin:/bin
++ /home/docker/bin/dockerd-rootless-setuptool.sh install --force
+[INFO] Creating /home/docker/.config/systemd/user/docker.service
 [INFO] starting systemd service docker.service
 + systemctl --user start docker.service
@@ Zeile 52: / Zeile 130: @@
 + systemctl --user --no-pager --full status docker.service
 ● docker.service - Docker Application Container Engine (Rootless)
-    Loaded: loaded (/srv/docker-user/.config/systemd/user/docker.service; disabled; vendor preset: disabled)
+     Loaded: loaded (/home/docker/.config/systemd/user/docker.service; disabled; vendor preset: disabled)
-    Active: active (running) since Tue 2023-12-19 17:53:39 CET; 3s ago
+     Active: active (running) since Sat 2024-04-20 15:25:04 CEST; 3s ago
-      Docs: https://docs.docker.com/go/rootless/
+       Docs: https://docs.docker.com/go/rootless/
-  Main PID: 6774 (rootlesskit)
+   Main PID: 3270 (rootlesskit)
-    CGroup: /user.slice/user-1001.slice/user@1001.service/app.slice/docker.service
+      Tasks: 49
-            ├─ 6774 rootlesskit --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccom
+     Memory: 60.3M
-p=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/b
+        CPU: 224ms
-in/dockerd-rootless.sh
+     CGroup: /user.slice/user-1001.slice/user@1001.service/app.slice/docker.service
-            ├─ 6785 /proc/self/exe --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-sec
+             ├─ 3270 rootlesskit --state-dir=/run/user/1001/dockerd-rootless --net=vpnkit --mtu=1500 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /home/docker/bin/dockerd-rootless.sh
-comp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /us
+             ├─ 3277 /proc/self/exe --state-dir=/run/user/1001/dockerd-rootless --net=vpnkit --mtu=1500 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /home/docker/bin/dockerd-rootless.sh
-r/bin/dockerd-rootless.sh
+             ├─ 3290 vpnkit --ethernet /run/user/1001/dockerd-rootless/vpnkit-ethernet.sock --mtu 1500 --host-ip 0.0.0.0
-            ├─ 6804 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp 67
+             ├─ 3306 dockerd
-tap0
+             └─ 3327 containerd --config /run/user/1001/docker/containerd/containerd.toml
-            ├─ 6811 dockerd
-            └─ 6833 containerd --config /run/user/1001/docker/containerd/containerd.toml
 + DOCKER_HOST=unix:///run/user/1001/docker.sock
-+ /usr/bin/docker version
++ /home/docker/bin/docker version
 Client:
-Version:           24.0.7-ce
+ Version:           25.0.2
-API version:       1.43
+ API version:       1.44
-Go version:        go1.20.12
+ Go version:        go1.21.6
-Git commit:        311b9ff0aa93
+ Git commit:        29cf629
-Built:             Fri Oct 27 12:00:00 2023
+ Built:             Thu Feb  1 00:22:06 2024
-OS/Arch:           linux/amd64
+ OS/Arch:           linux/amd64
-Context:           default
+ Context:           default
-Server:
+Server: Docker Engine - Community
-Engine:
+ Engine:
- Version:          24.0.7-ce
+  Version:          25.0.2
- API version:      1.43 (minimum version 1.12)
+  API version:      1.44 (minimum version 1.24)
- Go version:       go1.20.12
+  Go version:       go1.21.6
- Git commit:       311b9ff0aa93
+  Git commit:       fce6e0c
- Built:            Fri Oct 27 12:00:00 2023
+  Built:            Thu Feb  1 00:23:45 2024
- OS/Arch:          linux/amd64
+  OS/Arch:          linux/amd64
- Experimental:     false
+  Experimental:     false
-containerd:
+ containerd:
- Version:          v1.7.8
+  Version:          v1.7.13
- GitCommit:        8e4b0bde866788eec76735cc77c4720144248fb7
+  GitCommit:        7c3aca7a610df76212171d200ca3811ff6096eb8
-runc:
+ runc:
- Version:          1.1.10
+  Version:          1.1.12
- GitCommit:        v1.1.10-0-g18a0cb0f32bc
+  GitCommit:        v1.1.12-0-g51d5e94
-docker-init:
+ docker-init:
- Version:          0.1.7_catatonit
+  Version:          0.19.0
- GitCommit:
+  GitCommit:        de40ad0
-rootlesskit:
+ rootlesskit:
- Version:          1.1.1
+  Version:          2.0.0
- ApiVersion:       1.1.1
+  ApiVersion:       1.1.1
- NetworkDriver:    slirp4netns
+  NetworkDriver:    vpnkit
- PortDriver:       builtin
+  PortDriver:       builtin
- StateDir:         /tmp/rootlesskit687654985
+  StateDir:         /run/user/1001/dockerd-rootless
-slirp4netns:
+ vpnkit:
- Version:          1.2.0
+  Version:          7f0eff0dd99b576c5474de53b4454a157c642834
- GitCommit:        unknown
 + systemctl --user enable docker.service
-Created symlink /srv/docker-user/.config/systemd/user/default.target.wants/docker.service → /srv/docker-user/.
+Created symlink /home/docker/.config/systemd/user/default.target.wants/docker.service → /home/docker/.config/systemd/user/docker.service.
-config/systemd/user/docker.service.
 [INFO] Installed docker.service successfully.
 [INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service`
@@ Zeile 118: / Zeile 192: @@
 [INFO] Make sure the following environment variable(s) are set (or add them to ~/.bashrc):
-export PATH=/usr/bin:$PATH
+export PATH=/home/docker/bin:$PATH
 [INFO] Some applications may require the following environment variable too:
 export DOCKER_HOST=unix:///run/user/1001/docker.sock
-</file>
+</code>
-So, this looks nice.
+So, this looks very nice. **Important:**  Do what the Installation says with the file ''~/.bashrc''
-Mind, that now your volumes are under ''/srv/docker-user/.local/share/docker/volumes ''what may not be wanted. i would suggest, that you specify other volumes-directories in the yml-files for each service.
+===== Check Docker install =====
-==== Optional Docker- Directory ====
+Log out of docker user if you are still in from install. Then, log back in to apply the bashrc- settings.
+Ceck the Environement to have the settings:
+<code>
+docker@pcserver2023:~> Abgemeldet
+Connection to localhost closed.
+obel1x@pcserver2023:~> ssh localhost -l docker
+Password:
+Last login: Sat Apr 20 15:18:56 2024 from ::1
+Have a lot of fun...
+docker@pcserver2023:~> echo $DOCKER_HOST
+unix:///run/user/1001/docker.sock
+</code>
+Now check ''docker info'':
+<code>
+docker@pcserver2023:~> docker info
+Client:
+ Version:    25.0.2
+ Context:    default
+ Debug Mode: false
+Server:
+ Containers: 0
+  Running: 0
+  Paused: 0
+  Stopped: 0
+ Images: 0
+ Server Version: 25.0.2
+ Storage Driver: overlay2
+  Backing Filesystem: xfs
+  Supports d_type: true
+  Using metacopy: false
+  Native Overlay Diff: false
+  userxattr: true
+ Logging Driver: json-file
+ Cgroup Driver: systemd
+ Cgroup Version: 2
+ Plugins:
+  Volume: local
+  Network: bridge host ipvlan macvlan null overlay
+  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
+ Swarm: inactive
+ Runtimes: io.containerd.runc.v2 runc
+ Default Runtime: runc
+ Init Binary: docker-init
+ containerd version: 7c3aca7a610df76212171d200ca3811ff6096eb8
+ runc version: v1.1.12-0-g51d5e94
+ init version: de40ad0
+ Security Options:
+  seccomp
+   Profile: builtin
+  rootless
+  cgroupns
+ Kernel Version: 5.14.21-150500.55.52-default
+ Operating System: openSUSE Leap 15.5
+ OSType: linux
+ Architecture: x86_64
+ CPUs: 8
+ Total Memory: 30.79GiB
+ Name: pcserver2023
+ ID: 45699224-ea9c-4865-8dea-a53bb20b788c
+ Docker Root Dir: /home/docker/.local/share/docker
+ Debug Mode: false
+ Experimental: false
+ Insecure Registries:
+.0.0.0/8
+ Live Restore Enabled: false
+ Product License: Community Engine
+</code>
+==== Additional knowledge ====
+  * Storage driver and FS-Type : overlay2 should always be used, btrfs is outdated! XFS and d_type are important!
+  * CGroup Version needs to be 2 or better
+  * If you see Docker complaining about Module aufs at start: do not care about - that module is obsolete
+===== IP-Filter =====
+When starting Docker, an the log says:
+<code>
+level=warning msg="Running modprobe bridge br_netfilter failed with message: modprobe: ERROR: could not insert 'br_netfilter': Operation not permitted\ninsmod /lib/modul>
+level=info msg="skipping firewalld management for rootless mode"
+</code>
+You first need to load the module with modprobe.
+For system startup, use ''/etc/modules-load.d''  and creat e a file ''docker-rootless.conf''  in it, containing that module.
+===== IPTables =====
+If you see ''docker info''  saying:
+<code>
+WARNING: bridge-nf-call-iptables is disabled
+WARNING: bridge-nf-call-ip6tables is disabled
+</code>
+This should be fixed by:
+<code>
+# sudo echo "net.bridge.bridge-nf-call-iptables = 1">> /etc/sysctl.conf
+# sudo echo "net.bridge.bridge-nf-call-ip6tables = 1">> /etc/sysctl.conf
+# sudo modprobe br_netfilter
+# sudo sysctl --system
+</code>
+===== Configuring Docker Daemon =====
 in rootless-mode, the file to configure docker is here:
@@ Zeile 134: / Zeile 324: @@
 ''~/.config/docker/daemon.json''
-by default, the path and the file is not existent, create it with the user.
+**by default, the path and the file is not existent, __create it new__ within the docker user**.
-For example use another directory für your data in that file:
+For example, enable IPv6. See [[https://docs.docker.com/config/daemon/ipv6/|https://docs.docker.com/config/daemon/ipv6/]] for details.
 <file>
 {
- "log-level": "warn",
+ "ipv6": true,
- "log-driver": "json-file",
- "experimental": true,
  "ip6tables": true,
- "data-root": "/srv/docker",
+ "fixed-cidr-v6": "fd12:3456:1:::/48",
- "storage-driver": "overlay2",
+ "iptables": true,
+ "fixed-cidr": "172.1.0.0/16",
  "log-opts": {
    "max-size": "10m",
@@ Zeile 154: / Zeile 343: @@
 </file>
-Here, ipv6 support has been turned on. See [[https://docs.docker.com/config/daemon/ipv6/|https://docs.docker.com/config/daemon/ipv6/]] for details.
+Notice: Don't use ''userns-remap'' - this won't work and makes no sense in rootless!
-Notice: Don't use ''userns-remap'' - this won't work and makes no sense.
+Edit: "experimental": true has been removed for ipv6 with docker v27.
+You need to adjust cidr to some unique ULA. ULAs are non internet routable adresses (like 192.X.X.X in ipv4). Select an unique adress only for that internal Docker network - you can choose anything that is not assigned anywhere else on your network to not cause trouble.
-===== Filesystem Layout =====
+Maybe use this tool to generate: [[https://www.unique-local-ipv6.com|https://www.unique-local-ipv6.com]]
-Mind, that at the time writing ''overlay2'' is the way to go as storage driver in docker, but it only supports xfs as backing filesystems (with ''d_type=true'' which means ''ftype=1'' ).
-For checking which filesystem is in use, see ''docker info'', lines under ''Storage Driver'':
+==== The default Network is not IPV6- enabled by default ====
-<file>
-Storage Driver: overlay2
- Backing Filesystem: xfs
- Supports d_type: true
- Using metacopy: false
- Native Overlay Diff: false
- userxattr: true
-</file>
+If you specify no network, or use the network: default - than as the time of writing, IPV6 will not be enabled by default.
-If you create a XFS-Filesystem with Leap 15.5 it will have ''ftype=1'' set, check output of ''xfs_info <volumename>''
+So, in your docker-compose.yml you need the lines:
+<file>
-For me, i like btrfs a bit more than xfs, so i chose to have three different locations for docker on two filesystems (which are raided lvms. Check out the other docs here):
+networks:
+# Still needs to be defined while without it won't enable ipv6
-<file>
+  default:
-#> mount | grep /srv
+    driver: bridge
-/dev/mapper/vgdata-lvdata on /srv type btrfs (rw,noatime,nodiratime,compress=zstd:3,space_cache,autodefrag,subvolid=5,subvol=/)
+    enable_ipv6: true
-/dev/mapper/vgdata-lvdocker on /srv/docker type xfs (rw,**noexec**,noatime,nodiratime,attr2,inode64,logbufs=8,logbsize=32k,sunit=128,swidth=256,noquota)
 </file>
-and in /srv i have
+===== Networking in Docker rootless =====
-<file>
-#> ls /srv/ | grep docker
+If you read docs in the net about networking with Docker you may see docker0 as bridge network. While this network is also there in docker rootless, you will not find that network as interface on your host like you would on a rootful docker.
-docker #-> for storing docker-data using xfs
-docker-compose #-> for my yaml-files
-docker-user #-> this is the home of the docker user, containing the executables in user-space
-</file>
+Instead the network is encapsulated in the environement of rootlesskit and not visible to the host. From the Hosts view Docker is just another Application running on your Host talking to the internet like some app would do.
-==== ... and the permissions of the files ====
+===== Performance =====
-For me i would like the files only be read/writeable for user docker and group docker, which is very safe:
+when you install pasta- networking driver, you can edit your docker systemd and use a much improved networking-driver.
+Also you can make Docker a higher Priority and Nice-Value:
 <code>
-#:~ # cd /srv
+docker@server:~> systemctl --user edit docker.service
-#:/srv # chown docker docker* -R
-#:/srv # chgrp docker docker* -R
+[Service]
-#:/srv # setfacl -m d:u::rwX -R docker*
+# Higher Prio for Docker
-#:/srv # setfacl -m d:g::rwX -R docker*
+Nice=10
-#:/srv # setfacl -m d:o::--- -R docker*
+IOSchedulingClass=best-effort
-#:/srv # setfacl -m u::rwX -R docker*
+IOSchedulingPriority=7
-#:/srv # setfacl -m g::rwX -R docker*
+# Use Pasta- network Driver (of your Host - Pasta needs to be installed)
-#:/srv # setfacl -m o::--- -R docker*
+Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_NET=pasta"
+Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=implicit"
+Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS=--ipv6"
 </code>
-That way, others do not have any access to the files or folders.
+===== Install docker compose =====
-=== Compatibility Mode ===
+**This Chapter may be obsolete as since docker v27 the compose plugin is part of installation script - check your output of ''docker info''  for the installed Plugins and if ''docker compose version''  already has a version. If so, skip this.**
-There are Dockers out there, that are not aware of rootless-modes. One example (date up to now) is phpmyadmin. It will create files in docker-start- script and they will have the default permissions - which are safe, but now won't work any more.
+The command ''docker-compose''  has been obsoleted and been replaced by a plugin ''compose''  for docker (see [[https://docs.docker.com/compose/install/|https://docs.docker.com/compose/install/]]).
-So you may change the default for others to be readable:
+Installing it the manual way:
+Edit the File ''~/.bashrc''  and add:
 <code>
-#:~ # cd /srv
-#:/srv # setfacl -m d:o::r-X -R /srv/docker
+export DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker}
-#:/srv # setfacl -m o::r-X -R /srv/docker
-#:/srv # setfacl -m d:o::--- -R /srv/docker/volumes
-#:/srv # setfacl -m o::--- -R /srv/docker/volumes
 </code>
-The docker- daemon will create all files that are downloaded and created in a container as the facls are set if not forced to have other permissions by the docker-app itself.
+Then relog to the docker user and do as the doc says to install and check you install:
-=== Volume- Permissions ===
+<code>
+docker@pcserver2023:~> mkdir -p $DOCKER_CONFIG/cli-plugins
+docker@pcserver2023:~> curl -SL https://github.com/docker/compose/releases/download/v2.26.1/docker-compose-linux-x86_64 -o $DOCKER_CONFIG/cli-plugins/docker-compose
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
+59.8M  100 59.8M    0     0  9951k      0  0:00:06  0:00:06 --:--:-- 11.4M
+docker@pcserver2023:~> chmod +x $DOCKER_CONFIG/cli-plugins/docker-compose
+docker@pcserver2023:~> docker compose version
+Docker Compose version v2.26.1
+docker@pcserver2023:~>
-Usually all the data- files are kept in Volumes. Unfortunatelly, docker does not care about linux acls and user permissions in Volumes - or to be more precise: it overwrites them.
+</code>
-So if you would like to have your files really secured from other user, you can create the volume with an umask - e.g.:
+Your done with the compose plugin
-''docker volume create portainer_data –opt o=umask=0007'' \\
+===== Update =====
-That would make all files in the Volume have the right permissions.
-In Docker-Compose use this in your yml:
+If you want to update your docker- installation, there is not update- process but to use the same script again:
-<code>
+<file>
-volumes:
+#!/bin/bash
-  volumename:
+#Upgrade docker rootless and plugin
-    driver_opts:
+./docker_stop_all.sh
-      device: ""
+sleep 5
-      type: ""
+systemctl --user stop docker
-      o: "umask=0007"
+sleep 5
+#uninstall
+rm -f ~/bin/dockerd
+rm ~/.config/systemd/user/docker.service.bak
+mv ~/.config/systemd/user/docker.service ~/.config/systemd/user/docker.service.bak
+#reinstall docker compose
+COMPOSE_VER='2.32.4'
+rm $DOCKER_CONFIG/cli-plugins/docker-compose
+echo "Download Docker Compose Release ${COMPOSE_VER} - please check at https://github.com/docker/compose/releases for the newes Version and change this File"
+curl -SL https://github.com/docker/compose/releases/download/v${COMPOSE_VER}/docker-compose-linux-x86_64 -o $DOCKER_CONFIG/cli-plugins/docker-compose
+chmod +x $DOCKER_CONFIG/cli-plugins/docker-compose
+#install docker
+curl -fsSL https://get.docker.com/rootless | sh
+#need to give the new binary permissions to acces privileged network ports (beneath 1024)
+sudo setcap 'cap_net_bind_service=+ep' ~/bin/rootlesskit
+#this should be everything
+docker info
-</code>
+</file>
-Device and type need to be there, but can be empty to use default values.
+===== Create a place for Yamls =====
+Now, that you have compose, you can use it to setup your services with YAML- Files. Each service should have a directory for its own.
+Make a directory with ''mkdir ~/docker_compose''  and change to it.
 ===== First Docker App: Portainer =====
-Now - finally its time for our first running Container. As the Portainer- App is the most important Management- Software in Docker, let's run it in a safe userspaced way now.
+Now - finally its time for our first running Container. As the Portainer- App is an important Management- Software in Docker for inexperienced users, let's run it in a safe userspaced way now.
-As always, SSH into your docker- user and than create the folders and yml-files for portainer.
+As always, SSH into your docker- user and than create the folders and yml-files for docker compose and portainer.
+<code>
-<code>
 obel1x@server:~> ssh localhost -l docker
 Password:
-docker@server:~> cd /srv/docker-compose/
+docker@pcserver2023:~> cd ~/docker_compose
-docker@server:~> mkdir portainer
+docker@pcserver2023:~/docker_compose> mkdir portainer
-docker@server:/srv/docker-compose> cd portainer
+docker@pcserver2023:~/docker_compose> cd portainer
-docker@server:/srv/docker-compose/portainer> getfacl .
+docker@pcserver2023:~/docker_compose> touch docker-compose.yml
-# file: .
+docker@pcserver2023:~/docker_compose>
-# owner: docker
-# group: docker
-user::rwx
-group::rwx
-other::---
-default:user::rwx
-default:group::rwx
-default:other::---
-docker@server:/srv/docker-compose/portainer> touch docker-compose.yml
 </code>
-put the following into that file:
+Put the following into that file:
 <file>
-version: "3.8"
 services:
  portainer:
-   restart: unless-stopped
+   restart: always
    image: portainer/portainer-ce
    ports:
      - 9000:9000
+     - 9433:9433
    volumes:
      - portainer_data:/data
@@ Zeile 299: / Zeile 496: @@
 volumes:
  portainer_data:
-   driver_opts:
-     device: ""
-     type: ""
-     o: "umask=0007"
 </file>
-now start your app:
+Check, that the Socket- Path is the correct one.
-<code>
+Now start your app and look the magic:
-docker@server:~> docker-compose up -d
-[...]
-⠿ Container portainer-portainer-1    Started
-</code>
-Check the volume has been created at the right location and do have the right umask set:
 <code>
-docker@server:~> docker volume inspect portainer_portainer_data
+docker@pcserver2023:~/docker_compose/portainer> docker compose up -d
-[
+[+] Running 12/12
-{
+ ✔ portainer Pulled                                                                                                            17.6s
-"CreatedAt": "2023-12-21T09:37:16+01:00",
+   ✔ 379538b6d68e Pull complete                                                                                                 0.5s
-"Driver": "local",
+   ✔ 4ea3e2c3a39b Pull complete                                                                                                 0.5s
-"Labels": {
+   ✔ 5171176db7f2 Pull complete                                                                                                 3.8s
-"com.docker.compose.project": "portainer",
+   ✔ 52e9438966a5 Pull complete                                                                                                 6.5s
-"com.docker.compose.version": "2.14.2",
+   ✔ 43d4775415ac Pull complete                                                                                                 6.7s
-"com.docker.compose.volume": "portainer_data"
+   ✔ c1cad9f5200f Pull complete                                                                                                 9.6s
-},
+   ✔ 22eab514564f Pull complete                                                                                                 7.1s
-"Mountpoint": "**/srv/docker/volumes/portainer_portainer_data/_data**",
+   ✔ 962b9fa821a2 Pull complete                                                                                                10.0s
-"Name": "portainer_portainer_data",
+   ✔ c153fefda5ce Pull complete                                                                                                10.9s
-"Options": {
+   ✔ bed990c4615b Pull complete                                                                                                10.2s
-"device": "_ckgedit>,
+   ✔ 4f4fb700ef54 Pull complete                                                                                                10.5s
-**"o": "umask=0007"**,
+[+] Running 3/3
-"type": "_ckgedit>
+ ✔ Network portainer_default          Created                                                                                   0.2s
-},
+ ✔ Volume "portainer_portainer_data"  Created                                                                                   0.1s
-"Scope": "local"
+ ✔ Container portainer-portainer-1    Started                                                                                   0.3s
-}
+docker@pcserver2023:~/docker_compose/portainer>
-]
 </code>
-and finally if the files have been created only readable by the user:
+Now you can go to [[http://localhost:9000|http://localhost:9000]] and pick a password to finish the setup of Portainer using the local Environment and enjoy the docker-party:
-<code>
+{{  :content:serverbasics:screenshot_20231221_101150.png?968x260  }}
-ls /srv/docker/volumes/portainer_portainer_data/* -l -R
--rw——- 1 docker docker 77 21. Dez 09:37 /srv/docker/volumes/portainer_portainer_data/opts.json
-/srv/docker/volumes/portainer_portainer_data/_data:
+Thats all: Docker is running and serving your services, cheers!
-insgesamt 40
-drwx——+ 2 docker docker 6 21. Dez 09:37 bin
-drwx——+ 2 docker docker 37 21. Dez 09:37 certs
-drwx——+ 2 docker docker 29 21. Dez 09:37 chisel
-drwx——+ 2 docker docker 6 21. Dez 09:37 compose
-drwx——+ 2 docker docker 25 21. Dez 09:37 docker_config
--rw——- 1 docker docker 65536 21. Dez 09:37 portainer.db
--rw——- 1 docker docker 227 21. Dez 09:37 portainer.key
--rw——- 1 docker docker 190 21. Dez 09:37 portainer.pub
-drwx——+ 2 docker docker 6 21. Dez 09:37 tls
-/srv/docker/volumes/portainer_portainer_data/_data/bin:
+===== Fast Stop of all Containers =====
-insgesamt 0
-/srv/docker/volumes/portainer_portainer_data/_data/certs:
+This makes life easy ''docker_stop_all.sh'':
-insgesamt 8
+<file>
--rw——- 1 docker docker 518 21. Dez 09:37 cert.pem
+#!/bin/bash
--rw——- 1 docker docker 227 21. Dez 09:37 key.pem
+docker stop $(docker ps -a -q)
+docker rm $(docker ps -a -q)
-/srv/docker/volumes/portainer_portainer_data/_data/chisel:
+</file>
-insgesamt 4
+===== Find the latest Commit in git =====
--rw——- 1 docker docker 227 21. Dez 09:37 private-key.pem
-/srv/docker/volumes/portainer_portainer_data/_data/compose:
+Sometimes the Repository does not offer a latest Tatg, so its hard to find the right Tag to use. Maybe this coding helps (not testet wheter to get the right commitid for the Image):
-insgesamt 0
-/srv/docker/volumes/portainer_portainer_data/_data/docker_config:
+<code>
-insgesamt 4
+ if [ -z ${TVHEADEND_COMMIT+x} ]; then \
--rw-r—– 1 docker docker 389 21. Dez 09:37 config.json
+    TVHEADEND_COMMIT=$(curl -sX GET https://api.github.com/repos/tvheadend/tvheadend/commits/master \
+    | jq -r '. | .sha'); \
-/srv/docker/volumes/portainer_portainer_data/_data/tls:
+  fi && \
-insgesamt 0
 </code>
-this is amazing, right ;) ?
-Now you can go to [[http://localhost:9000|http://localhost:9000]] and finish the setup of Portainer using the local environement and enjoy the docker-party:
-{{  .:screenshot_20231221_101150.png?968x260  }}
-Thats all here, cheers!