There is a new rootless capabilities on docker new release,
https://docs.docker.com/engine/security/rootless/
We need to run it in our environments and provide using Dockerfile
I try the following
FROM debian:10.6
RUN apt-get -y update && apt-get -y install git curl
ENV USER=user
RUN curl -fsSL https://get.docker.com/rootless | sh
RUN PATH=/home/testuser/bin:$PATH
RUN PATH=$PATH:/sbin
RUN DOCKER_HOST=unix:///run/user/1001/docker.sock
RUN docker --help
When running it I got error:
# Installing stable version 20.10.0
Refusing to install rootless Docker as the root user
The command '/bin/bash -c curl -fsSL https://get.docker.com/rootless | sh' returned a non-zero code: 1
How can I run it as unprivileged user using docker?
Why? We have some unique env where we providing our "tools" using docker (like go, k8s binary etc) but not providing docker itself ( docker cli / daemon etc) to the env.
Now docker support rootless privileges and we want to add the binary and the way to execute the docker command build push.
Related
I’m trying to install SSH (and enable the service) on top of my Nextcloud installation in Docker, and have it work on reboot. Having run through many Dockerfile, docker-compose combinations I can’t seem to get this to work. Ive tried using entrypoint.sh scripts with Dockerfile, but it wants a CMD at the end and then it doesn’t execute the “normal” nextcloud start up.
entrypoint.sh:
#!/bin/sh
# Start the ssh server
service ssh start
# Execute the CMD
exec "$#"
Dockerfile:
FROM nextcloud:latest
RUN apt update -y && apt-get install ssh -y
RUN apt-get install python3 -y && apt-get install sudo -y
RUN echo 'ansible ALL=(ALL:ALL) NOPASSWD:ALL' >> /etc/sudoers
RUN useradd -m ansible -s /bin/bash
RUN sudo -u ansible mkdir /home/ansible/.ssh
RUN mkdir -p /var/run/sshd
COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
CMD ["/usr/sbin/sshd", "-D"]
Any help would be much appreciated. Thank you
In general I'd say - break the problem you're having down into smaller parts - it'll help isolate the source of the problem.
Here's how I'd approach the reported issue.
First - replace (in your Dockerfile)
apt-get install -y ssh
with the recommended
apt install -y openssh-server
Then - test just the required parts of your Dockerfile addressing the issue - simplify it just to the following:
FROM nextcloud:latest
RUN apt update
RUN apt install -y openssh-server
Then build a test image using this Dockerfile via the command
docker build . -t test_nextcloud
This will build the image - giving it the name (tag) of test_nextcloud.
Then run a container from this newly built image via the docker run command
docker run -p 8080:80 -d --name nextcloud test_nextcloud
This will run the container on port 8080 in detatched mode, and give the assicated container the name of nextcloud.
Then - with the container running - you should be able to enter into it using the following command
docker container exec -u 0 -it nextcloud bash
as root.
Now that you are in, you should be able to startup the ssh server via the command
service ssh start
Having followed a set of steps like this to confirm that you can indeed startup an ssh server in the nextcloud container, begin adding back in your additional logic (begining with the original Dockerfile).
I found this Dockerfile sample here:
// version 1
FROM ubuntu:latest
RUN apt update && apt install ssh -y
RUN service ssh start
CMD ["/usr/sbin/sshd","-D"]
When I build and run this Dockerfile, it runs an SSH server in the foreground, which is great.
If I use the following Dockerfile though:
// version 2
FROM ubuntu:latest
RUN apt update && apt install ssh -y
RUN service ssh start
# CMD ["/usr/sbin/sshd","-D"] // without this line
And then run the container:
~$ docker run -p 2222:22 -it ssh_server
And try to connect to it from another terminal, it doesn't work. Seemingly this call to sshd is necessary. On the other hand, If I just install SSH in the Dockerfile:
// version 3
FROM ubuntu:latest
RUN apt-get update && apt-get install -y ssh
And run the container like this:
~$ docker run -p 2222:22 -it ssh:test
~$ service ssh start
* Starting OpenBSD Secure Shell server sshd
Now I'm able to connect to the container. So I wonder: If the line RUN ssh service start
in version 1 is necessary, why isn't necessary for version 3?
To add more to the confusion, if I build and run version 4:
// version 4
FROM ubuntu:latest
RUN apt update && apt install ssh -y
#RUN service ssh start // without this line
CMD ["/usr/sbin/sshd","-D"]
It also doesn't work either.
Can someone please explain those behaviours? What is the relation between service ssh start and /usr/sbin/sshd?
OK everything is clear now:
Basically running the /usr/sbin/sshd is what runs the ssh server. The reason it didn't work out on it's own (version 4) is because the script that runs when you run service ssh start - which is the script /etc/init.d/ssh - creates a directory /run/sshd which is required for the run of sshd.
This script also calls the executable /usr/sbin/sshd, but since this is run as part of the build, it didn't sustain beyond the temporary container that the layer was made of. W
What did sustain is the /run/sshd directory! That's why when we run /usr/sbin/sshd as the CMD it works!
Thanks all!
To build on #YoavKlein's answer, service ssh start can take arguments which are passed to sshd, so rather than
# Incidentally creates /run/sshd
RUN service ssh start
# Run the service in the foreground when starting the container
CMD ["/usr/sbin/sshd", "-D"]
you can just do
# Run the service in the foreground when starting the container
CMD ["service", "ssh", "start", "-D"]
which will start the SSH server through service, but run it in the foreground, avoiding having to have a separate RUN to do first time setup.
I have taken the idea from #mark-raymond :)
Following docker run command with the -D flag worked for me!:
docker run -itd -p 2222:22 <dockerImageName:Tag> /usr/sbin/sshd -D
I would like to have a docker container for a CI-step that has docker and node installed.
I thought it would be the perfect use-case to use the multistage build.
I have a new docker version Docker version 18.09.3, build 774a1f4 and I tried this Dockerfile, but to no avail:
FROM docker:18.09.3
FROM node:8
CMD ['bash']
The resulting image has node-stuff such as npm installed, but no docker things... Any ideas how to proceed here?
Thanks a lot!
Update
I changed the Dockerfile to this, which also does not work (docker is not installed in the container):
FROM docker:18.09.3
FROM ubuntu:latest
USER root
RUN apt-get update
RUN apt-get -y install curl gnupg
RUN curl -sL https://deb.nodesource.com/setup_11.x | bash -
RUN apt-get -y install nodejs
CMD [ "node" ]
Update2
This Dockerfile does what I need, but it is not with multi-stage (which I would have liked to try here)
FROM docker:18.09.3
USER root
RUN apk update
RUN apk add --update nodejs nodejs-npm
CMD [ "node" ]
I'm a web dev and I use node. A colleague has added code to my branch that uses the thrift npm package. Although thrift is a npm package, it needs to be installed on the local machine still for the package to be used. I do not have apache thrift installed and cannot run the code. I will eventually have to deploy this code so I'd like to look into creating a docker container that has thrift available and the nodejs code can run in that container using the thrift installation.
I cannot find a container for this purpose. There is an official docker image with the thrift library, but that seems like it only runs thrift files. there is also an the node container of course, any way I can combine the two?
Check this docker file which contains both nodejs and thrift. I directly build this image from appache/thift which is official docker image of thrift and install nodejs and npm.
FROM apache/thrift
RUN apt-get update && apt-get install -y --no-install-recommends curl sudo
RUN curl --silent --location https://deb.nodesource.com/setup_8.x | sudo bash - && \
apt-get install --yes nodejs && \
apt-get install --yes build-essential
RUN apt-get install --yes npm
ENTRYPOINT ["/bin/bash", "-c"]
CMD ["/bin/bash"]
Build command:
docker build -t thrift-node .
Run command
docker run --name test-thrift - -p 3000:3000 --rm -it thrift-node
Verify version command
thrift -version
nodejs -v
npm -v
When i run docker build -t example . on the below im getting an error
FROM ruby:2.1
RUN rm /bin/sh && ln -s /bin/bash /bin/sh
ENV NVM_DIR /usr/local/nvm
ENV NODE_VERSION 4.4.2
RUN curl https://raw.githubusercontent.com/creationix/nvm/v0.31.0/install.sh | bash \
&& source $NVM_DIR/nvm.sh \
&& nvm install $NODE_VERSION \
&& nvm alias default $NODE_VERSION \
&& nvm use default
ENV NODE_PATH $NVM_DIR/v$NODE_VERSION/lib/node_modules
ENV PATH $NVM_DIR/v$NODE_VERSION/bin:$PATH
RUN node -v
I get the following error:
Step 9 : RUN node -v ---> Running in 6e3fac36d2fc /bin/sh: node:
command not found The command '/bin/sh -c node -v' returned a non-zero
code: 127
Can't understand why node is not found in the path. i tried executing the nvm.sh file as well but it didnt have an effect.
Node version manager is an excellent application for switching versions of Node.js on your development machine, but Docker begs a specific kind of image/container design that is meant to be both ephemeral and stripped down to the bare essentials in order to support the "best practice" of microservices. Docker is just a fancy way to run a process, not a full VM. That last sentence has helped me a lot in how to think about Docker. And so here, you can make things easier on yourself by creating different versions of your image, instead of making one container with many versions of Node.js inside of it. This way, you can reference the Node version you want to run inside of your docker run command instead of trying to feed in environment variables trying to get NVM to select the right version. For example:
docker build -t=jamescharlesworth-node:4.x-latest .
And of course your Dockerfile will have in it the install command in your RUN directive that you mention in the comments:
RUN curl -sL https://deb.nodesource.com/setup_4.x | bash -
RUN apt-get install -y nodejs