|
Size: 855
Comment: Add note on root access, wharfer and docker-no-trivial-root
|
Size: 3249
Comment: change back subuid/subgid
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 2: | Line 2: |
= How to install Docker on Ubuntu 16.04 = [[https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-16-04|How To Install and Use Docker on Ubuntu 16.04]] (very well explained + provides interesting details + it works) = Installing Wharfer on one of the AD machines = {{{ # First make sure that docker is running with user namespaces activated > sudo vim /etc/docker/daemon.json { "userns-remap": "<remap_user | default >" } # Currently the remap user needs to be created per machine # It needs to be added to /etc/subuid, /etc/subgid manually because these aren't # automatically updated with our user management (they are on standard Ubuntu). # If the name "default" is used docker creates a "dockremap" user. # In this case the /etc/subuid, /etc/subgid files need to look like the following so that # the processes in the container appear as "nobody" on the host > sudo vim /etc/subuid … append .. dockremap:65534:65535 > sudo vim /etc/subgid … append … dockremap:65534:65535 # If more security than provided by wharfer is needed (e.g. lots of students) # also install https://github.com/ad-freiburg/docker-no-trivial-root # Note however that its restrictions then also apply to non-wharfer docker # use while wharfer alone does not impact other docker use # Install docker-no-trivial-root following the instructions in the Setup section on GitHub https://github.com/ad-freiburg/docker-no-trivial-root#setup #Install wharfer following the instructions in the Setup section on GitHub https://github.com/ad-freiburg/wharfer#setup }}} = Groups and IDs = Docker several groups and users for different purposes. On systems where these are newly created we try to use the same UIDs and GIDs but these should not matter as only the names are used in relevant commands. * '''docker''' (group, GID 950) * Enables users in the group to access docker without sudo (owns Unix socket {{{/var/run/docker.sock}}}) * Historically different GID on: fiji (123), vulcano (998), elba (998), metropolis (998), alicudi (998), salina (121), flavus (998), rubur (998), titan (999), sirba (122), tapoa (120), tarka (130) * '''dockremap''' (user, UID 951) * User that owns the user namespace mapping used for docker containers (mapping defined in {{{/etc/subuid, /etc/subgid}}}, owns nothing) * Historically different UID on: metropolis (114), alicudi (119), tapoa (114) * '''dockremap''' (group, GID 951) * Group of the dockremap user (owns nothing) * Historically different GID on: metropolis (117), alicudi (127), tapoa (121) = Docker Troubleshooting = |
|
| Line 6: | Line 61: |
| Line 17: | Line 73: |
== How to install docker == [[https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-16-04|How To Install and Use Docker on Ubuntu 16.04]] (very well explained + provides interesting details + it works) To be continued ... |
Contents
How to install Docker on Ubuntu 16.04
How To Install and Use Docker on Ubuntu 16.04 (very well explained + provides interesting details + it works)
Installing Wharfer on one of the AD machines
# First make sure that docker is running with user namespaces activated
> sudo vim /etc/docker/daemon.json
{
"userns-remap": "<remap_user | default >"
}
# Currently the remap user needs to be created per machine
# It needs to be added to /etc/subuid, /etc/subgid manually because these aren't
# automatically updated with our user management (they are on standard Ubuntu).
# If the name "default" is used docker creates a "dockremap" user.
# In this case the /etc/subuid, /etc/subgid files need to look like the following so that
# the processes in the container appear as "nobody" on the host
> sudo vim /etc/subuid
… append ..
dockremap:65534:65535
> sudo vim /etc/subgid
… append …
dockremap:65534:65535
# If more security than provided by wharfer is needed (e.g. lots of students)
# also install https://github.com/ad-freiburg/docker-no-trivial-root
# Note however that its restrictions then also apply to non-wharfer docker
# use while wharfer alone does not impact other docker use
# Install docker-no-trivial-root following the instructions in the Setup section on GitHub
https://github.com/ad-freiburg/docker-no-trivial-root#setup
#Install wharfer following the instructions in the Setup section on GitHub
https://github.com/ad-freiburg/wharfer#setup
Groups and IDs
Docker several groups and users for different purposes. On systems where these are newly created we try to use the same UIDs and GIDs but these should not matter as only the names are used in relevant commands.
docker (group, GID 950)
Enables users in the group to access docker without sudo (owns Unix socket /var/run/docker.sock)
- Historically different GID on: fiji (123), vulcano (998), elba (998), metropolis (998), alicudi (998), salina (121), flavus (998), rubur (998), titan (999), sirba (122), tapoa (120), tarka (130)
dockremap (user, UID 951)
User that owns the user namespace mapping used for docker containers (mapping defined in /etc/subuid, /etc/subgid, owns nothing)
- Historically different UID on: metropolis (114), alicudi (119), tapoa (114)
dockremap (group, GID 951)
- Group of the dockremap user (owns nothing)
- Historically different GID on: metropolis (117), alicudi (127), tapoa (121)
Docker Troubleshooting
"docker: Got permission denied while trying to connect" or "ERROR: Couldn't connect to Docker daemon" (2018-01-19)
WARNING: This is defacto equivalent to root access
We're currently working on two solutions that combined should in the future be relatively safe. These are wharfer and docker-no-trivial-root
Add user to group docker and switch to that group:
sudo usermod -aG docker <username> # Logout # Login newgrp docker