|
Size: 551
Comment:
|
Size: 3696
Comment: add DNS workaround
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
| = How to install Docker on Ubuntu 16.04 = [[https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-16-04|How To Install and Use Docker on Ubuntu 16.04]] (very well explained + provides interesting details + it works) = Installing Wharfer on one of the AD machines = {{{ # First make sure that docker is running with user namespaces activated > sudo vim /etc/docker/daemon.json { "userns-remap": "default" } # Currently the remap user needs to be created per machine # It needs to be added to /etc/subuid, /etc/subgid manually because these aren't # automatically updated with our user management (they are on standard Ubuntu). # If the name "default" is used docker creates a "dockremap" user. # In this case the /etc/subuid, /etc/subgid files need to look like the following so that # the processes in the container appear as "nobody" on the host > sudo vim /etc/subuid … append .. dockremap:65534:65535 > sudo vim /etc/subgid … append … dockremap:65534:65535 # If more security than provided by wharfer is needed (e.g. lots of students) # also install https://github.com/ad-freiburg/docker-no-trivial-root # Note however that its restrictions then also apply to non-wharfer docker # use while wharfer alone does not impact other docker use # Install docker-no-trivial-root following the instructions in the Setup section on GitHub https://github.com/ad-freiburg/docker-no-trivial-root#setup #Install wharfer following the instructions in the Setup section on GitHub https://github.com/ad-freiburg/wharfer#setup }}} = Groups and IDs = Docker several groups and users for different purposes. On systems where these are newly created we try to use the same UIDs and GIDs but these should not matter as only the names are used in relevant commands. * '''docker''' (group, GID 950) * Enables users in the group to access docker without sudo (owns Unix socket {{{/var/run/docker.sock}}}) * Historically different GID on: fiji (123), vulcano (998), elba (998), metropolis (998), alicudi (998), salina (121), flavus (998), rubur (998), titan (999), sirba (122), tapoa (120), tarka (130) * '''dockremap''' (user, UID 951) * User that owns the user namespace mapping used for docker containers (mapping defined in {{{/etc/subuid, /etc/subgid}}}, owns nothing) * Historically different UID on: metropolis (114), alicudi (119), tapoa (114) * '''dockremap''' (group, GID 951) * Group of the dockremap user (owns nothing) * Historically different GID on: metropolis (117), alicudi (127), tapoa (121) = Docker Troubleshooting = |
|
| Line 4: | Line 59: |
'''WARNING: This is defacto equivalent to root access''' We're currently working on two solutions that combined should in the future be relatively safe. These are [[https://github.com/ad-freiburg/wharfer|wharfer]] and [[https://github.com/ad-freiburg/docker-no-trivial-root|docker-no-trivial-root]] |
|
| Line 14: | Line 74: |
| == How to install docker == | == Can't resolve *.informatik.privat in containers == This is the following [[https://github.com/docker/libnetwork/issues/2068|docker issue]]. A fix is already merged but for now the current docker version still has this problem. |
| Line 16: | Line 77: |
| [[https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-16-04|How To Install and Use Docker on Ubuntu 16.04]] (very well explained + provides interesting details + it works) | To workaround this on the host run {{{ sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf }}} |
| Line 18: | Line 82: |
| To be continued ... | this helps docker find the correct DNS server and is officially supported according to {{{man systemd-resolved 8}}} |
Contents
How to install Docker on Ubuntu 16.04
How To Install and Use Docker on Ubuntu 16.04 (very well explained + provides interesting details + it works)
Installing Wharfer on one of the AD machines
# First make sure that docker is running with user namespaces activated
> sudo vim /etc/docker/daemon.json
{
"userns-remap": "default"
}
# Currently the remap user needs to be created per machine
# It needs to be added to /etc/subuid, /etc/subgid manually because these aren't
# automatically updated with our user management (they are on standard Ubuntu).
# If the name "default" is used docker creates a "dockremap" user.
# In this case the /etc/subuid, /etc/subgid files need to look like the following so that
# the processes in the container appear as "nobody" on the host
> sudo vim /etc/subuid
… append ..
dockremap:65534:65535
> sudo vim /etc/subgid
… append …
dockremap:65534:65535
# If more security than provided by wharfer is needed (e.g. lots of students)
# also install https://github.com/ad-freiburg/docker-no-trivial-root
# Note however that its restrictions then also apply to non-wharfer docker
# use while wharfer alone does not impact other docker use
# Install docker-no-trivial-root following the instructions in the Setup section on GitHub
https://github.com/ad-freiburg/docker-no-trivial-root#setup
#Install wharfer following the instructions in the Setup section on GitHub
https://github.com/ad-freiburg/wharfer#setup
Groups and IDs
Docker several groups and users for different purposes. On systems where these are newly created we try to use the same UIDs and GIDs but these should not matter as only the names are used in relevant commands.
docker (group, GID 950)
Enables users in the group to access docker without sudo (owns Unix socket /var/run/docker.sock)
- Historically different GID on: fiji (123), vulcano (998), elba (998), metropolis (998), alicudi (998), salina (121), flavus (998), rubur (998), titan (999), sirba (122), tapoa (120), tarka (130)
dockremap (user, UID 951)
User that owns the user namespace mapping used for docker containers (mapping defined in /etc/subuid, /etc/subgid, owns nothing)
- Historically different UID on: metropolis (114), alicudi (119), tapoa (114)
dockremap (group, GID 951)
- Group of the dockremap user (owns nothing)
- Historically different GID on: metropolis (117), alicudi (127), tapoa (121)
Docker Troubleshooting
"docker: Got permission denied while trying to connect" or "ERROR: Couldn't connect to Docker daemon" (2018-01-19)
WARNING: This is defacto equivalent to root access
We're currently working on two solutions that combined should in the future be relatively safe. These are wharfer and docker-no-trivial-root
Add user to group docker and switch to that group:
sudo usermod -aG docker <username> # Logout # Login newgrp docker
Can't resolve *.informatik.privat in containers
This is the following docker issue. A fix is already merged but for now the current docker version still has this problem.
To workaround this on the host run
sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
this helps docker find the correct DNS server and is officially supported according to man systemd-resolved 8