AD Research Wiki:

Contents

  1. How to install Docker on Ubuntu 16.04
  2. Installing Wharfer on one of the AD machines
  3. Groups and IDs
  4. Docker Troubleshooting
    1. "docker: Got permission denied while trying to connect" or "ERROR: Couldn't connect to Docker daemon" (2018-01-19)
    2. Can't resolve *.informatik.privat in containers
    3. Running out of disk space

How to install Docker on Ubuntu 16.04

How To Install and Use Docker on Ubuntu 16.04 (very well explained + provides interesting details + it works)

Installing Wharfer on one of the AD machines

# First make sure that docker is running with user namespaces activated
> sudo vim /etc/docker/daemon.json
{
    "userns-remap": "default"
}
# Currently the remap user needs to be created per machine
# It needs to be added to /etc/subuid, /etc/subgid manually because these aren't
# automatically updated with our user management (they are on standard Ubuntu).

# If the name "default" is used docker creates a "dockremap" user.
# In this case the /etc/subuid, /etc/subgid files need to look like the following so that
# the processes in the container appear as "nobody" on the host
> sudo vim /etc/subuid
… append ..
dockremap:65534:65535
> sudo vim /etc/subgid
… append …
dockremap:65534:65535

# If more security than provided by wharfer is needed (e.g. lots of students)
# also install https://github.com/ad-freiburg/docker-no-trivial-root
# Note however that its restrictions then also apply to non-wharfer docker 
# use while wharfer alone does not impact other docker use

# Install docker-no-trivial-root following the instructions in the Setup section on GitHub
https://github.com/ad-freiburg/docker-no-trivial-root#setup


#Install wharfer following the instructions in the Setup section on GitHub
https://github.com/ad-freiburg/wharfer#setup

Groups and IDs

Docker several groups and users for different purposes. On systems where these are newly created we try to use the same UIDs and GIDs but these should not matter as only the names are used in relevant commands.

Docker Troubleshooting

"docker: Got permission denied while trying to connect" or "ERROR: Couldn't connect to Docker daemon" (2018-01-19)

WARNING: This is defacto equivalent to root access

We're currently working on two solutions that combined should in the future be relatively safe. These are wharfer and docker-no-trivial-root

Add user to group docker and switch to that group: 

sudo usermod -aG docker <username>
# Logout
# Login
newgrp docker

Can't resolve *.informatik.privat in containers

This is the following docker issue. A fix is already merged but for now the current docker version still has this problem.

To workaround this on the host run 

sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf

this helps docker find the correct DNS server and is officially supported according to man systemd-resolved 8

Running out of disk space

This can have several reasons, first make sure that /var is reasonably sized.

It could be dangling or unused images and containers, in this case make sure every container you want to retain running is running and then do: 

docker system prune

It could also be that you're logging a lot (e.g. QLever does this when there are a lot of queries)

In this case you can turn on log rotation or switch the log driver for docker.

To enable log rotation make sure you have the following in /etc/docker/daemon.json add previous content like user namespace configuration on the level of "log-driver" 

{
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "10m",
    "max-file": "3"
  }
}

Alternatively you can also use "log-driver": "journald"}} and make sure your system {{{journald does log rotation. However this option has caused high CPU load in both journald and docker.

Afterwards you must recreate containers for this to take effect, restarting is not sufficient

AD Research Wiki: HowTos/Docker (last edited 2019-01-10 15:29:42 by Niklas Schnelle)