Official NixOS Wiki

Docker: Difference between revisions

← Older edit
QuBe (talk | contribs)
8 edits
VisualWikitext
Joshbuker (talk | contribs)
22 edits
Add a section for using nvidia with docker containers
QuBe (talk | contribs)
8 edits
System setup: Add note about restart being possibly required
Tags: Mobile edit Mobile web edit
 
(6 intermediate revisions by 6 users not shown)
Line 32: Line 32:
<!--T:7-->
<!--T:7-->
To install Docker on NixOS, add the virtualization.docker module to your system configuration at <code>/etc/nixos/configuration.nix</code>:<ref>https://nixos.org/manual/nixos/stable/options#opt-virtualisation.docker.enable</ref>
To install Docker on NixOS, add the virtualization.docker module to your system configuration at <code>/etc/nixos/configuration.nix</code>:<ref>https://nixos.org/manual/nixos/stable/options#opt-virtualisation.docker.enable</ref>
(Note that it may take a restart for the group changes to take effect.)
</translate>
</translate>
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
Line 52: Line 53:


<translate>
<translate>
== Configuration == <!--T:9-->
== Configuration == <!--T:9-->
</translate>
</translate>
Line 294: Line 296:


=== Using Privileged Ports for Rootless Docker ===
=== Using Privileged Ports for Rootless Docker ===
Rootless containers are not able to ports from 0 to 1023 as such port can only be used by privileged users.  This problem can be solved by using port forwarding.
Rootless containers are not able to bind ports from 0 to 1023 as such port can only be used by privileged users.  This problem can be solved by using port forwarding.


Assume you'd like a rootless container to make use of ports 53 (DNS; TPC and UDP) and 80 (web; TCP).  We may force the container to use port 8000 while the firewall is instructed for forward traffic from port 80 to 8000.  Same logic applies for port 53.  Refer to the following example:<syntaxhighlight lang="nixos"># Firewall
Assume you'd like a rootless container to make use of ports 53 (DNS; TPC and UDP) and 80 (web; TCP).  We may force the container to use port 8000 while the firewall is instructed for forward traffic from port 80 to 8000.  Same logic applies for port 53.  Refer to the following example:<syntaxhighlight lang="nixos"># Firewall
Line 301: Line 303:
   allowedTCPPorts = [ 80 8000 53 5300 ];
   allowedTCPPorts = [ 80 8000 53 5300 ];
   allowedUDPPorts = [ 53 5300 ];
   allowedUDPPorts = [ 53 5300 ];
  extraCommands = ''
    iptables -A PREROUTING -t nat -i eth0 -p TCP --dport 80 -j REDIRECT --to-port 8000
    iptables -A PREROUTING -t nat -i eth0 -p TCP --dport 53 -j REDIRECT --to-port 5300
    iptables -A PREROUTING -t nat -i eth0 -p UDP --dport 53 -j REDIRECT --to-port 5300
  '';
};
};


boot.kernel.sysctl = {
boot.kernel.sysctl = {
   "net.ipv4.conf.eth0.forwarding" = 1;    # enable port forwarding
   "net.ipv4.conf.eth0.forwarding" = 1;    # enable port forwarding
};
   
networking = {
  firewall.extraCommands = ''
    iptables -A PREROUTING -t nat -i eth0 -p TCP --dport 80 -j REDIRECT --to-port 8000
    iptables -A PREROUTING -t nat -i eth0 -p TCP --dport 53 -j REDIRECT --to-port 5300
    iptables -A PREROUTING -t nat -i eth0 -p UDP --dport 53 -j REDIRECT --to-port 5300
  '';
};</syntaxhighlight>Whilst the docker-compose.yaml might look like this:<syntaxhighlight lang="dockerfile">
};</syntaxhighlight>Whilst the docker-compose.yaml might look like this:<syntaxhighlight lang="dockerfile">
services:
services:
Line 389: Line 388:
<translate>
<translate>
<!--T:48-->
<!--T:48-->
An alternative, if using [[flakes]], is to do <code>created = builtins.substring 0 8 self.lastModifiedDate</code>, which uses the commit date, and is therefore reproducible.
An alternative, if using [[flakes]], is to do <code>created = "@" + builtins.toString self.lastModified</code>, which uses the commit date, and is therefore reproducible.
</translate>
</translate>


<translate>
<translate>
==== Calculating the sha256 for a pulled Docker image ==== <!--T:49-->
==== Calculating the sha256 for a pulled Docker image ==== <!--T:49-->
</translate>
</translate>
Line 724: Line 724:


{{File|3={
{{File|3={
   virtualisation.docker.enable = true;
   # virtualisation.docker.enable = true; # This option is deprecated, please set hardware.nvidia-container-toolkit.enable instead.


   hardware.nvidia-container-toolkit.enable = true;
   hardware.nvidia-container-toolkit.enable = true;
  # Prevents: - Option enableNvidia on x86_64 requires 32-bit support libraries
   # Regular Docker
   # Regular Docker
   virtualisation.docker.daemon.settings.features.cdi = true;
   virtualisation.docker.daemon.settings.features.cdi = true;
Line 754: Line 755:
               capabilities: [gpu]
               capabilities: [gpu]
               device_ids:
               device_ids:
                 - nvidia.com/gpu=all|name=compose.yml|lang=yaml}}
                 - nvidia.com/gpu=all
volumes:
  ollama: {}|name=compose.yml|lang=yaml}}


<translate>
<translate>
Line 762: Line 765:


<references/>
<references/>
== See also ==
*[https://nixcademy.com/posts/auto-update-containers/ Run and Auto-Update Docker Containers on NixOS, Nixcademy]


[[Category:Applications]]
[[Category:Applications]]
Retrieved from "https://wiki.nixos.org/wiki/Docker"