obel1x.de

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Du befindest dich hier: start » content » serverbasics » docker
Zuletzt angesehen:
content:serverbasics:docker

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen der Seite angezeigt.

Link zu der Vergleichsansicht

Beide Seiten, vorherige ÜberarbeitungVorherige Überarbeitung
Nächste Überarbeitung		Vorherige Überarbeitung
content:serverbasics:docker [2024/08/03 21:54] – [Configuring Docker Daemon] obel1xcontent:serverbasics:docker [2026/03/01 11:44] (aktuell) – [Fast Stop of all Containers] obel1x
Zeile 9: Zeile 9:
 __**Warning: This is a very strong advise NOT to use docker default in rootmode at all! **__  The reason is, that any service is able to talk to the Docker Daemon if there is a connection to the Docker socket in the Volumes (which some services require) - or simply if thers a bug somewhere. By that way, the Docker Container will be able to set up ANY service and bind ANY location on the Host, that the docker user may be able to see. So if the Service gets taken over and the service ist runnig as root… you know where you are. __**Warning: This is a very strong advise NOT to use docker default in rootmode at all! **__  The reason is, that any service is able to talk to the Docker Daemon if there is a connection to the Docker socket in the Volumes (which some services require) - or simply if thers a bug somewhere. By that way, the Docker Container will be able to set up ANY service and bind ANY location on the Host, that the docker user may be able to see. So if the Service gets taken over and the service ist runnig as root… you know where you are.
  
-So just: Don't set up Docker rootful at all if possible. +So just: Don't set up Docker rootfull at all if possible - its even not neeeded nowadays.
  
 ===== Filesystem Layout ===== ===== Filesystem Layout =====
  
-Mind, that at the time writing, ''overlay2'' is the way to go as storage driver in docker, but it only supports xfs as backing filesystems (with ''d_type=true'' which means ''ftype=1'' ).+Mind, that at the time writing, ''overlay2'' is the way to go as storage driver in docker, but it only supports xfs as backing filesystems (with ''d_type=true'' which means ''ftype=1''for full support.
  
-I personally dislike xfs, especially while its not rubust and won't shrink. I use it anyway, because of its srong advise to do so - with kernel 5.19+ it should be possible to get overlay2 working on btrfs, but still there are things that may not work even with that kernel.+I personally dislike xfs, especially while its not rubust and won't shrink. I use it anyway, because of its srong advise to do so - with kernel 5.19+ it should be possible to get overlay2 working on btrfs, but still there are things that may not work even with that kernel - in the worst case, docker is unable to unlink files, so there will be huge Containers and Volumes and maybe Services will break.
  
 So make sure, that the Home-Directory of you docker user is on XFS. The ftype is already ok on SuSE 15.5, check output of ''xfs_info <volumename>''. So make sure, that the Home-Directory of you docker user is on XFS. The ftype is already ok on SuSE 15.5, check output of ''xfs_info <volumename>''.
  
-Warning: you may have umask set your way - i prefer 007 as writte before. But if you change umask and permissions be very cautious, as docker uses userid- mapping and may change the permissions and ownersets of files in its directory to the subuserid.+Warning: you may have umask set your way - i prefer 007 as written before. But if you change umask and permissions be very cautious, as docker uses userid- mapping and may change the permissions and ownersets of files in its directory to the subuserid.
  
 That may change the ownership in a way, that even the docker user on the host cannot access the Files, which is OK ! That may change the ownership in a way, that even the docker user on the host cannot access the Files, which is OK !
  
-__**STRONG WARNING: Don't change permissions or ownership of docker- directories on the Host directly as this will chage them in the container and break your Services !!!**__+__**STRONG WARNING: Don't change permissions or ownership of docker- directories on the Host directly as this will change them in the container, making them unavaiable and break your Services !!!**__
  
 __**The only way to manage Volume- File- Permissions is to bash inside the running container itself and to change them there (to the right values of course)!**__ __**The only way to manage Volume- File- Permissions is to bash inside the running container itself and to change them there (to the right values of course)!**__
  
 +A short hint: Docker rootless uses Sub(g)uids, which is a feature of Linux. That means each user has a range of userids (quite a huge range) and groupid which the user may use. Those will be exclusive reserved for that user. But it does not mean, that the User can acces the Files created by those Subuids! Also the UIDs are onyl a number - not a real user in Linux having a username- They cannot be used to logon or to work with. Docker manages internally which Host-Subuserid is assigned to which caontainer and to which userid inside the running container/service. Inside the Container, you may become that user having a real username and a (different) uid.
 +
 +===== Which Devices / Raid- Level =====
 +
 +I strongly do not advise to use Raid5 with classical harddrives to run docker on it. If you plan to have large Data in /home/docker and you want to use xfs + Raid5 to better use your drive- space, than you should use another disc for the overlays of docker.
 +
 +For me, i switched to RAID1 on SSD an mounted that to /home/docker/.local - where all Docker files will be stored. Large Data is than stored somewhere else if needed.
  
 ===== Packages NOT to install ===== ===== Packages NOT to install =====
Zeile 43: Zeile 49:
 ===== Docker- User ===== ===== Docker- User =====
  
-Create a new **group** called **docker** and a new **user** called **docker**. Make the user is in the **default group docker**.+Create a new **group**  called **docker**  and a new **user**  called **docker**. Make the user is in the **default group docker**.
  
 Attention: The Home Directory should be on a volume having XFS as btrfs or others are not fully supported right now (20.04.2024 - patches in new Kernel 5.19 are incoming, but this Kernel is not released until now and still there are some problems open in developement there). Attention: The Home Directory should be on a volume having XFS as btrfs or others are not fully supported right now (20.04.2024 - patches in new Kernel 5.19 are incoming, but this Kernel is not released until now and still there are some problems open in developement there).
- 
  
 ===== cGroups v2 ===== ===== cGroups v2 =====
Zeile 325: Zeile 330:
  
 { {
- "ip6tables": true, 
  "ipv6": true,  "ipv6": true,
- "fixed-cidr-v6": "fd12:3456:789a:1::/64",+ "ip6tables": true, 
 + "fixed-cidr-v6": "fd12:3456:1:::/48", 
 + "iptables": true, 
 + "fixed-cidr": "172.1.0.0/16",
  "log-opts": {  "log-opts": {
    "max-size": "10m",    "max-size": "10m",
Zeile 342: Zeile 349:
 You need to adjust cidr to some unique ULA. ULAs are non internet routable adresses (like 192.X.X.X in ipv4). Select an unique adress only for that internal Docker network - you can choose anything that is not assigned anywhere else on your network to not cause trouble. You need to adjust cidr to some unique ULA. ULAs are non internet routable adresses (like 192.X.X.X in ipv4). Select an unique adress only for that internal Docker network - you can choose anything that is not assigned anywhere else on your network to not cause trouble.
  
-Maybe use this tool to generate: https://www.unique-local-ipv6.com+Maybe use this tool to generate: [[https://www.unique-local-ipv6.com|https://www.unique-local-ipv6.com]] 
 + 
 + 
 +==== The default Network is not IPV6- enabled by default ==== 
 + 
 +If you specify no network, or use the network: default - than as the time of writing, IPV6 will not be enabled by default. 
 + 
 +So, in your docker-compose.yml you need the lines: 
 +<file> 
 + 
 +networks: 
 +# Still needs to be defined while without it won't enable ipv6 
 +  default: 
 +    driver: bridge 
 +    enable_ipv6: true 
 + 
 +</file>
  
 ===== Networking in Docker rootless ===== ===== Networking in Docker rootless =====
  
-If you read docs in the net about networking with Docker you may see docker0 as bridge network. While+If you read docs in the net about networking with Docker you may see docker0 as bridge network. While this network is also there in docker rootless, you will not find that network as interface on your host like you would on a rootful docker.
  
 +Instead the network is encapsulated in the environement of rootlesskit and not visible to the host. From the Hosts view Docker is just another Application running on your Host talking to the internet like some app would do.
 +
 +===== Performance =====
 +
 +when you install pasta- networking driver, you can edit your docker systemd and use a much improved networking-driver.
 +
 +Also you can make Docker a higher Priority and Nice-Value:
 +
 +<code>
 +docker@server:~> systemctl --user edit docker.service
 +
 +[Service]
 +# Higher Prio for Docker
 +Nice=10
 +IOSchedulingClass=best-effort
 +IOSchedulingPriority=7
 +# Use Pasta- network Driver (of your Host - Pasta needs to be installed)
 +Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_NET=pasta"
 +Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=implicit"
 +Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS=--ipv6"
 +
 +</code>
  
 ===== Install docker compose ===== ===== Install docker compose =====
 +
 +**This Chapter may be obsolete as since docker v27 the compose plugin is part of installation script - check your output of ''docker info''  for the installed Plugins and if ''docker compose version''  already has a version. If so, skip this.**
  
 The command ''docker-compose''  has been obsoleted and been replaced by a plugin ''compose''  for docker (see [[https://docs.docker.com/compose/install/|https://docs.docker.com/compose/install/]]). The command ''docker-compose''  has been obsoleted and been replaced by a plugin ''compose''  for docker (see [[https://docs.docker.com/compose/install/|https://docs.docker.com/compose/install/]]).
Zeile 387: Zeile 434:
 #!/bin/bash #!/bin/bash
 #Upgrade docker rootless and plugin #Upgrade docker rootless and plugin
 +./docker_stop_all.sh
 +sleep 5
 systemctl --user stop docker systemctl --user stop docker
 +sleep 5
 +#uninstall
 rm -f ~/bin/dockerd rm -f ~/bin/dockerd
 +rm ~/.config/systemd/user/docker.service.bak
 +mv ~/.config/systemd/user/docker.service ~/.config/systemd/user/docker.service.bak
 +#reinstall docker compose
 +COMPOSE_VER='2.32.4'
 +rm $DOCKER_CONFIG/cli-plugins/docker-compose
 +echo "Download Docker Compose Release ${COMPOSE_VER} - please check at https://github.com/docker/compose/releases for the newes Version and change this File"
 +curl -SL https://github.com/docker/compose/releases/download/v${COMPOSE_VER}/docker-compose-linux-x86_64 -o $DOCKER_CONFIG/cli-plugins/docker-compose
 +chmod +x $DOCKER_CONFIG/cli-plugins/docker-compose
 +#install docker
 curl -fsSL https://get.docker.com/rootless | sh curl -fsSL https://get.docker.com/rootless | sh
 #need to give the new binary permissions to acces privileged network ports (beneath 1024) #need to give the new binary permissions to acces privileged network ports (beneath 1024)
 sudo setcap 'cap_net_bind_service=+ep' ~/bin/rootlesskit sudo setcap 'cap_net_bind_service=+ep' ~/bin/rootlesskit
- +#this should be everything 
-If you installed docker compose, check the newest version first at https://github.com/docker/compose/releases/latest +docker info
-curl -SL https://github.com/docker/compose/releases/download/v2.27.0/docker-compose-linux-x86_64 -o $DOCKER_CONFIG/cli-plugins/docker-compose+
  
 </file> </file>
Zeile 469: Zeile 528:
 Now you can go to [[http://localhost:9000|http://localhost:9000]] and pick a password to finish the setup of Portainer using the local Environment and enjoy the docker-party: Now you can go to [[http://localhost:9000|http://localhost:9000]] and pick a password to finish the setup of Portainer using the local Environment and enjoy the docker-party:
  
-{{  .:screenshot_20231221_101150.png?968x260  }}+{{  :content:serverbasics:screenshot_20231221_101150.png?968x260  }}
  
 Thats all: Docker is running and serving your services, cheers! Thats all: Docker is running and serving your services, cheers!
 +
 +===== Fast Stop of all Containers =====
 +
 +This makes life easy ''docker_stop_all.sh'':
 +<file>
 +#!/bin/bash
 +docker stop $(docker ps -a -q)
 +docker rm $(docker ps -a -q)
 +
 +</file>
 +===== Find the latest Commit in git =====
 +
 +Sometimes the Repository does not offer a latest Tatg, so its hard to find the right Tag to use. Maybe this coding helps (not testet wheter to get the right commitid for the Image):
 +
 +<code>
 + if [ -z ${TVHEADEND_COMMIT+x} ]; then \
 +    TVHEADEND_COMMIT=$(curl -sX GET https://api.github.com/repos/tvheadend/tvheadend/commits/master \
 +    | jq -r '. | .sha'); \
 +  fi && \
 +
 +</code>
  
  
content/serverbasics/docker.1722714861.txt.gz · Zuletzt geändert: von obel1x
Falls nicht anders bezeichnet, ist der Inhalt dieses Wikis unter der folgenden Lizenz veröffentlicht: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki