ansible-role-docker-rootless
ansible-role-docker-rootless copied to clipboard
Published
20 hours ago •
konstruktoid
konstruktoid
Can support for Amazon Linux 2 be added?
Hi @benlei-gfm - I'll have a look to see what's required for that to work.
Hi again @benlei-gfm and sorry for the late reply.
Sorry to say I'm not going to start supporting Amazon Linux 2, this is due to the fact that many of the requirements aren’t present. Even if I install e.g. slirp4netns from third party sources, the basic functionality isn't available.
If you are forced to use Amazon Linux, I suggest you have a look at podman instead (https://www.redhat.com/en/blog/preview-running-containers-without-root-rhel-76), otherwise I would recommend you to use a more up-to-date distribution.
TASK [konstruktoid.docker_rootless : enable and start docker (rootless installation)] ************************************************************************************
fatal: [127.0.0.1]: FAILED! => {"changed": false, "msg": "failure 1 during daemon-reload: Failed to get D-Bus connection: No such file or directory\n"}
TASK [konstruktoid.docker_rootless : install rootless docker] ************************************************************
fatal: [127.0.0.1]: FAILED! => {"changed": true, "cmd": ["dockerd-rootless-setuptool.sh", "install"], "delta": "0:00:00.070033", "end": "2022-06-01 16:48:31.122326", "msg": "non-zero return code", "rc": 1, "start": "2022-06-01 16:48:31.052293", "stderr": "\u001b[101m\u001b[97m[ERROR]\u001b[49m\u001b[39m Missing system requirements. Run the following commands to\n\u001b[101m\u001b[97m[ERROR]\u001b[49m\u001b[39m install the requirements and run this tool again.", "stderr_lines": ["\u001b[101m\u001b[97m[ERROR]\u001b[49m\u001b[39m Missing system requirements. Run the following commands to", "\u001b[101m\u001b[97m[ERROR]\u001b[49m\u001b[39m install the requirements and run this tool again."], "stdout": "\n########## BEGIN ##########\nsudo sh -eux <<EOF\n# Install newuidmap & newgidmap binaries\nyum install -y shadow-utils\nEOF\n########## END ##########", "stdout_lines": ["", "########## BEGIN ##########", "sudo sh -eux <<EOF", "# Install newuidmap & newgidmap binaries", "yum install -y shadow-utils", "EOF", "########## END ##########"]}
Red Hat disabled the systemd user service in RHEL 7 (and thereby all distros that come from RHEL, like CentOS, Oracle Linux 7, Amazon Linux 2): https://bugzilla.redhat.com/show_bug.cgi?id=1173278
The shadow-utils package doesn't contain the newuidmap and newgidmap commands: https://bugzilla.redhat.com/show_bug.cgi?id=1498628
$ sudo yum install -y shadow-utils
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Package 2:shadow-utils-4.1.5.1-24.amzn2.0.2.x86_64 already installed and latest version
Nothing to do
I will get back to you after testing Amazon Linux 2022 (https://aws.amazon.com/linux/amazon-linux-2022/?amazon-linux-whats-new.sort-by=item.additionalFields.postDateTime&amazon-linux-whats-new.sort-order=desc).
Amazon Linux 2022 (tested using 2022.0.20220518) will work with some minor modifications.
- name: install slirp4netns package
become: 'yes'
ansible.builtin.package:
name: "slirp4netns"
state: present
when: not ansible_distribution == "Amazon"
tags:
- apt
- dnf
- packages
- name: install slirp4netns binary
become: 'yes'
ansible.builtin.get_url:
url: "https://github.com/rootless-containers/slirp4netns/releases/download/v1.2.0/slirp4netns-x86_64"
dest: /usr/bin/slirp4netns
checksum: sha256:11080fdfb2c47b99f2b0c2b72d92cc64400d0eaba11c1ec34f779e17e8844360
owner: root
group: root
mode: '0755'
when: ansible_distribution == "Amazon"
---
- hosts: all
any_errors_fatal: true
tasks:
- name: include konstruktoid.docker_rootless
include_role:
name: konstruktoid.docker_rootless
- name: register "{{ docker_user }}" info
become: 'yes'
user:
name: "{{ docker_user }}"
check_mode: 'yes'
register: docker_user_info
tags:
- user
- name: example container block
environment:
XDG_RUNTIME_DIR: "/run/user/{{ docker_user_info.uid }}"
PATH: "{{ docker_user_info.home }}/bin:{{ ansible_env.PATH }}"
DOCKER_HOST: "unix:///run/user/{{ docker_user_info.uid }}/docker.sock"
block:
- name: nginx container
become: 'yes'
become_user: "{{ docker_user }}"
community.docker.docker_container:
name: nginx
image: konstruktoid/nginx
published_ports: 127.0.0.1:9000:80
state: started
cap_drop: all
capabilities:
- chown
- dac_override
- net_bind_service
- setgid
- setuid
pull: 'yes'
hostname: "{{ ansible_nodename }}"
container_default_behavior: compatibility
...
$ sudo yum install iptables
$ export DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
$ ansible-playbook --extra-vars "docker_user=ec2-user" -i '127.0.0.1,' -c local local.yml
$ DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus XDG_RUNTIME_DIR="/run/user/1000" DOCKER_HOST="unix:///run/user/1000/docker.sock" /home/ec2-user/bin/docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b2fee3b52dd2 konstruktoid/nginx "/usr/sbin/nginx -g …" 33 seconds ago Up 32 seconds (health: starting) 443/tcp, 127.0.0.1:9000->80/tcp nginx
$ curl 127.0.0.1:9000
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
Thanks! That might be sufficient. Looking forward to when you create a release with these set of changes :)
Now works on Amazon Linux 2022.
$ ansible-playbook --extra-vars "docker_user=$(id -un)" -i '127.0.0.1,' -c local local.yml
$ DOCKER_HOST="unix:///run/user/$(id -u)/docker.sock" PATH="/home/$(id -un)/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" XDG_RUNTIME_DIR="/run/user/$(id -u)" docker ps
---
- hosts: all
any_errors_fatal: true
tasks:
- name: install git
become: true
package:
name: git
state: present
- name: checkout konstruktoid.docker_rootless
become: true
ansible.builtin.git:
repo: 'https://github.com/konstruktoid/ansible-docker-rootless'
dest: /etc/ansible/roles/konstruktoid.docker_rootless
version: main
- name: include konstruktoid.docker_rootless
include_role:
name: konstruktoid.docker_rootless
- name: register "{{ docker_user }}" info
become: 'yes'
user:
name: "{{ docker_user }}"
check_mode: 'yes'
register: docker_user_info
tags:
- user
- name: nginx container block
environment:
XDG_RUNTIME_DIR: "/run/user/{{ docker_user_info.uid }}"
PATH: "{{ docker_user_info.home }}/bin:{{ ansible_env.PATH }}"
DOCKER_HOST: "unix:///run/user/{{ docker_user_info.uid }}/docker.sock"
block:
- name: nginx container
become: 'yes'
become_user: "{{ docker_user }}"
community.docker.docker_container:
name: nginx
image: konstruktoid/nginx
published_ports: 127.0.0.1:9000:80
state: started
cap_drop: all
capabilities:
- chown
- dac_override
- net_bind_service
- setgid
- setuid
pull: 'yes'
hostname: "{{ ansible_nodename }}"
container_default_behavior: compatibility
...