runimage icon indicating copy to clipboard operation
runimage copied to clipboard
verified publisher icon VHSgunzo

Tutoring and Help with RunImage

Open fwn0 opened this issue 1 year ago • 6 comments

Hello Maxim, I am already looking forward to the new upcoming runimage 0.40.1, which you are currently preparing (as I see in your github activity). But now I have a request for you. I don't understand exactly how your fake-systemd works for starting docker. I have installed docker and docker-compose in the runimage with pac, but now I can't figure out how to start the daemon with fake-systemd before rebuild a new runimage-docker. I mean, how do I use the standard command systemctl start docker.service, systemctl enable docker.service in the new runimage-docker? I also wanted to ask, how should the structure of containers, images and volumes look like? Can docker in runimage then serve the containers, images, etc., only in runimage which are placed on rootfs, overlayfs, or also outside of runimage, e.g. on ~/ri-portable-progs ?

fwn0 avatar Jan 11 '25 14:01 fwn0

@fwn0 Hi! To fully run docker daemon requires elevated privileges (even for rootless mode). But still I managed to run docker daemon in runimage. Here is a rough order of operations:

Create docker dir:

mkdir docker

Run runimage in overlayfs mode, with sandbox network and with bubblewrap fake root and with bind docker dir:

OVERFS_ID=docker KEEP_OVERFS=1 SANDBOX_NET=1 ./runimage --uid 0 --gid 0 --bind "$PWD/docker" /var/lib/docker bash

Install docker:

# update packages:
runupdate

pac --noconfirm -S docker

Run the docker daemon in the runimage network sandbox on 127.0.0.0.1:1337 :

/usr/bin/dockerd -H tcp://127.0.0.1:1337 --seccomp-profile unconfined --rootless --no-new-privileges &>/dev/null &

And now you can run docker:

DOCKER_HOST=tcp://127.0.0.1:1337 docker run --rm -i -v /dev:/dev alpine:latest cat /etc/os-release

But there are some limitations:

  • I have not yet managed to solve the lchown problem when pull some container images (for example debian:latest)
  • You can't remove the -v /dev:/dev bind or you will get the /dev/pts error
  • Even with the -v /dev:/dev bind there is no way to alocate a full-fledged pseudo terminal or you will get the /dev/console error.

I may need to analyze the dockerd source code (runc, containerd) and apply some tricks to fix these errors (as I already did for runimage-openssh). I would be glad to have help in this endeavor.

Alternatively, you can use udocker as an option. This is not a full-fledged replacement for docker, but it's still not bad either.

VHSgunzo avatar Jan 15 '25 19:01 VHSgunzo

Thank you for your introduction Maxim,

it may not be necessary to install docker or podman. I will now experiment a bit with crun. Maybe it will be much easier to run the docker images, containers, volumes with crun.

fwn0 avatar Jan 15 '25 21:01 fwn0

I have managed to create a running rootless alpine container with 0.40.4 using crun (without podman or docker). Unfortunately I couldn't find out how to activate internet connection as well. I tried to configure it with RIM_RESOLVCONF_FILE=/path/resolv.conf, but so far I have no connection.

Can you please give me instructions on how to create the connection in docker-container?

But now I have another problem with user/group. I would like to create jellyfin server with client in RunImage, but as you can see, here is a problem.

artix-pc:[artix]:~/Devel/RIM/Arch$ RIM_ALLOW_ROOT=1 RIM_OVERFS_MODE=1 RIM_OVERFS_ID=core ./runimage rim-shell Ignoring invalid max threads value 4294967295 > max (100000). [ INFO ][2025.02.02 13:34:30]: Attaching to OverlayFS: core ┌─[artix@artix-pc]:[~/Devel/RIM/Arch]:[13:34:36] └──╼ $ useradd -U jellyfin useradd: cannot open /etc/passwd ┌─[✗]─[artix@artix-pc]:[~/Devel/RIM/Arch]:[13:34:46] └──╼ $ systemctl start jellyfin ERROR:systemctl: jellyfin.service: User does not exist: jellyfin (Mapping key not found.) ERROR:systemctl: jellyfin.service: Group does not exist: jellyfin (Mapping key not found.) ERROR:systemctl: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ERROR:systemctl: Oops, 1 user names and 1 group names were not found. Refusing. ERROR:systemctl: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ┌─[✗]─[artix@artix-pc]:[~/Devel/RIM/Arch]:[13:35:28]

How can I solve the problem(s) ?

fwn0 avatar Feb 02 '25 13:02 fwn0

I have managed to create a running rootless alpine container with 0.40.4 using crun (without podman or docker). Unfortunately I couldn't find out how to activate internet connection as well. I tried to configure it with RIM_RESOLVCONF_FILE=/path/resolv.conf, but so far I have no connection. Can you please give me instructions on how to create the connection in docker-container?

@fwn0 Hi! In that case, wouldn't it be easier to use the built-in functionality of the custom rootfs? https://github.com/VHSgunzo/runimage?tab=readme-ov-file#runimage-custom-rootfs

But now I have another problem with user/group. I would like to create jellyfin server with client in RunImage, but as you can see, here is a problem.

By default, runimage bind groups and users from the host, to change this, you can use RIM_UNSHARE_USERS=1 and then you can add groups and users in the container, but there's a catch, because it's a container in the unprivileged user namespaces, you won't be able to really change the user or group, so you can use, for example, fakeroot with the fake user's UID inside the container, if the application really needs to change the user or group during operation (like for apt or pacman). https://salsa.debian.org/clint/fakeroot/-/blob/master/communicate.h?ref_type=heads#L102-L109

FAKEROOTEUID=2 fakeroot id -un

Image

In the case of systemd units, you can try to remove user and group changes from the unit.

VHSgunzo avatar Feb 03 '25 20:02 VHSgunzo

For jellyfin

RIM_OVERFS_ID=jellyfin RIM_KEEP_OVERFS=1 ./runimage

pac -Sy jellyfin-server jellyfin-web
sed -i '/^User/d;/^Group/d' /usr/lib/systemd/system/jellyfin.service
mkdir -p /var/lib/jellyfin
systemctl start jellyfin -vvv

or you can add the necessary services to autostart

systemctl enable jellyfin -vvv

and then use init

RIM_OVERFS_ID=jellyfin RIM_KEEP_OVERFS=1 ./runimage systemctl init

VHSgunzo avatar Feb 03 '25 20:02 VHSgunzo

@fwn0

sed -i '/^User/d;/^Group/d' /usr/lib/systemd/system/jellyfin.service mkdir -p /var/lib/jellyfin

In v0.40.5 now added pacman hook in fake-systemd package which fixes SystemD units. So now all you have to do is just install jellyfin and run it:

RIM_OVERFS_ID=jellyfin RIM_KEEP_OVERFS=1 ./runimage

pac -Sy jellyfin-server jellyfin-web

systemctl start jellyfin -vvv

VHSgunzo avatar Feb 06 '25 13:02 VHSgunzo