@@ Line 6: / Line 6: @@
 <translate>
-<!--T:2-->
+== Installation == <!--T:2-->
-== Installation ==
 </translate>
 <translate>
-<!--T:3-->
+==== Shell ==== <!--T:3-->
-==== Shell ====
 </translate>
@@ Line 28: / Line 26: @@
 <translate>
-<!--T:6-->
+==== System setup ==== <!--T:6-->
-==== System setup ====
 </translate>
@@ Line 55: / Line 52: @@
 <translate>
-<!--T:9-->
+== Configuration == <!--T:9-->
-== Configuration ==
 </translate>
 <translate>
-<!--T:10-->
+==== Basic ==== <!--T:10-->
-==== Basic ====
 </translate>
@@ Line 85: / Line 80: @@
 <translate>
-<!--T:12-->
+==== Advanced ==== <!--T:12-->
-==== Advanced ====
 </translate>
@@ Line 112: / Line 106: @@
 <translate>
-<!--T:14-->
+== Docker Compose == <!--T:14-->
-== Docker Compose ==
 </translate>
 <translate>
@@ Line 131: / Line 124: @@
 <translate>
-<!--T:18-->
+=== Arion === <!--T:18-->
-=== Arion ===
 </translate>
 <translate>
@@ Line 175: / Line 167: @@
 <translate>
-<!--T:23-->
+=== Compose2Nix === <!--T:23-->
-=== Compose2Nix ===
 </translate>
 <translate>
@@ Line 184: / Line 175: @@
 <translate>
-<!--T:25-->
+==== Install ==== <!--T:25-->
-==== Install ====
 </translate>
 <translate>
@@ Line 216: / Line 206: @@
 <translate>
-<!--T:29-->
+==== Usage ==== <!--T:29-->
-==== Usage ====
 </translate>
 <translate>
@@ Line 237: / Line 226: @@
 <translate>
-<!--T:33-->
+== Tips and tricks == <!--T:33-->
-== Tips and tricks ==
 </translate>
 <translate>
-<!--T:34-->
+=== Docker on btrfs === <!--T:34-->
-=== Docker on btrfs ===
 </translate>
@@ Line 255: / Line 242: @@
 <translate>
-<!--T:36-->
+=== Rootless Docker === <!--T:36-->
-=== Rootless Docker ===
 </translate>
 <translate>
 <!--T:37-->
-Rootless Docker lets you run the Docker daemon as a non-root user for improved security. Set the <code>rootless</code> option [[#Advanced|as shown above]]. The <code>setSocketVariable</code> option adds the <code>DOCKER_HOST</code> variable pointing to your rootless Docker instance.
+[https://docs.docker.com/engine/security/rootless/ Rootless Docker] lets you run the Docker daemon as a non-root user for improved security. To do so, enable {{nixos:option|virtualisation.docker.rootless}}. This activates the user-level systemd Docker service. Additionally, the option {{nixos:option|virtualisation.docker.rootless.setSocketVariable|setSocketVariable}} configures the <code>DOCKER_HOST</code> environment variable to point to the rootless Docker instance.
 </translate>
-<translate>
+<syntaxhighlight lang="nix">
-<!--T:38-->
+virtualisation.docker = {
-After enabling rootless mode, Docker can be started with:
+  # Consider disabling the system wide Docker daemon
-</translate>
+  enable = false;
-<syntaxhighlight lang="bash">
-$ systemctl --user enable --now docker
+  rootless = {
+    enable = true;
+    setSocketVariable = true;
+    # Optionally customize rootless Docker daemon settings
+    daemon.settings = {
+      dns = [ "1.1.1.1" "8.8.8.8" ];
+      registry-mirrors = [ "https://mirror.gcr.io" ];
+    };
+  };
+};
 </syntaxhighlight>
 <translate>
 <!--T:39-->
-This creates the 'docker.service' file which is required to start Docker. Note that the service will not start at boot by this command. You will have to set it up in your NixOS configuration. Now the following command will work:
+A system reboot is required for these changes to take effect. Alternatively, the environment variable can be set manually in the current shell session, and the user Docker service can be started with the following commands:
 </translate>
-<syntaxhighlight lang="bash">
+<syntaxhighlight lang="console">
+$ export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock
 $ systemctl --user start docker
 </syntaxhighlight>
+{{note|User services do not persist after logging out by default. This will cause any Docker containers to stop if a user logs out. Set option {{nixos:option|users.users.*.linger|users.users.<name>.linger}} to true for Docker containers to persist. See [[Systemd/User Services#Keeping user services running after logout]] for more details.}}
 <translate>
 <!--T:40-->
-Check its status with:
+To verify the status of the rootless Docker service:
 </translate>
-<syntaxhighlight lang="bash">
+<syntaxhighlight lang="console">
 $ systemctl --user status docker
+</syntaxhighlight>
+To confirm that Docker is running in rootless mode:
+<syntaxhighlight lang="console">
+$ docker info -f "{{println .SecurityOptions}}" | grep rootless
+</syntaxhighlight>
+=== Using Privileged Ports for Rootless Docker ===
+Rootless containers are not able to ports from 0 to 1023 as such port can only be used by privileged users.  This problem can be solved by using port forwarding.
+Assume you'd like a rootless container to make use of ports 53 (DNS; TPC and UDP) and 80 (web; TCP).  We may force the container to use port 8000 while the firewall is instructed for forward traffic from port 80 to 8000.  Same logic applies for port 53.  Refer to the following example:<syntaxhighlight lang="nixos"># Firewall
+networking.firewall = {
+  enable = true;
+  allowedTCPPorts = [ 80 8000 53 5300 ];
+  allowedUDPPorts = [ 53 5300 ];
+};
+boot.kernel.sysctl = {
+  "net.ipv4.conf.eth0.forwarding" = 1;    # enable port forwarding
+};
+networking = {
+  firewall.extraCommands = ''
+    iptables -A PREROUTING -t nat -i eth0 -p TCP --dport 80 -j REDIRECT --to-port 8000
+    iptables -A PREROUTING -t nat -i eth0 -p TCP --dport 53 -j REDIRECT --to-port 5300
+    iptables -A PREROUTING -t nat -i eth0 -p UDP --dport 53 -j REDIRECT --to-port 5300
+  '';
+};</syntaxhighlight>Whilst the docker-compose.yaml might look like this:<syntaxhighlight lang="dockerfile">
+services:
+  myserver:
+    image: ...
+    restart: always
+    ports:
+      - "5300:53/tcp"
+      - "5300:53/udp"
+      - "8000:80"
 </syntaxhighlight>
 <translate>
-<!--T:41-->
-=== Creating images with Nix ===
+=== Creating images with Nix === <!--T:41-->
 </translate>
 <translate>
-<!--T:42-->
+==== Building a docker image with nixpkgs ==== <!--T:42-->
-==== Building a docker image with nixpkgs ====
 </translate>
 <translate>
@@ Line 344: / Line 379: @@
 <translate>
-<!--T:46-->
+==== Reproducible image dates ==== <!--T:46-->
-==== Reproducible image dates ====
 </translate>
@@ Line 359: / Line 393: @@
 <translate>
-<!--T:49-->
+==== Calculating the sha256 for a pulled Docker image ==== <!--T:49-->
-==== Calculating the sha256 for a pulled Docker image ====
 </translate>
@@ Line 398: / Line 431: @@
 <translate>
-<!--T:53-->
+==== Directly Using Nix in Image Layers ==== <!--T:53-->
-==== Directly Using Nix in Image Layers ====
 </translate>
@@ Line 413: / Line 445: @@
 <translate>
-<!--T:56-->
+=== Using Podman as an alternative === <!--T:56-->
-=== Using Podman as an alternative ===
 </translate>
@@ Line 436: / Line 467: @@
 <translate>
-<!--T:58-->
+=== Changing Docker Daemon's Data Root === <!--T:58-->
-=== Changing Docker Daemon's Data Root ===
 </translate>
@@ Line 451: / Line 481: @@
 <translate>
-<!--T:60-->
+=== Docker Containers as systemd Services === <!--T:60-->
-=== Docker Containers as systemd Services ===
 </translate>
@@ Line 501: / Line 530: @@
 <translate>
-<!--T:64-->
+==== Usage ==== <!--T:64-->
-==== Usage ====
 </translate>
 <translate>
@@ Line 560: / Line 588: @@
 <translate>
-<!--T:73-->
+===== Exposing ports from the host ===== <!--T:73-->
-===== Exposing ports from the host =====
 </translate>
 <translate>
@@ Line 569: / Line 596: @@
 <translate>
-<!--T:75-->
+===== Exposing sockets from the host ===== <!--T:75-->
-===== Exposing sockets from the host =====
 </translate>
 <translate>
@@ Line 583: / Line 609: @@
 <translate>
 <!--T:77-->
-to provide access to <code>/var/run/mysqld/mysqld.sock</code>
+to provide access to <code>/var/run/mysqld/mysqld.sock</code>. Sadly, this means you'll have to restart the container when /var/run/mysqld is replaced, e.g. on an upgrade.
 </translate>
 <translate>
-<!--T:78-->
+=== Running the docker daemon from nix-the-package-manager - not NixOS === <!--T:78-->
-=== Running the docker daemon from nix-the-package-manager - not NixOS ===
 </translate>
@@ Line 602: / Line 628: @@
 <translate>
-<!--T:81-->
+== Troubleshooting == <!--T:81-->
-== Troubleshooting ==
 </translate>
 <translate>
-<!--T:82-->
+=== Cannot connect to the Docker daemon === <!--T:83-->
-=== Common issues ===
-</translate>
-<translate>
-<!--T:83-->
-==== Cannot connect to the Docker daemon ====
 </translate>
@@ Line 622: / Line 641: @@
 <translate>
 <!--T:85-->
-- The Docker service is running: `systemctl status docker`
+- The Docker service is running: <code>systemctl status docker</code>
 </translate>
 <translate>
 <!--T:86-->
-- Your user is in the docker group: `groups | grep docker`
+- Your user is in the docker [[User management#Adding User to a group|group]]: <code>groups | grep docker</code>
 </translate>
 <translate>
@@ Line 634: / Line 653: @@
 <translate>
-<!--T:88-->
+=== Storage space issues === <!--T:88-->
-==== Storage space issues ====
 </translate>
@@ Line 656: / Line 674: @@
 <translate>
-<!--T:90-->
+=== Network conflicts === <!--T:90-->
-==== Network conflicts ====
 </translate>
@@ Line 676: / Line 693: @@
 <translate>
-<!--T:92-->
+=== Cannot connect to public Wi-Fi, when using Docker === <!--T:92-->
-=== Cannot connect to public Wi-Fi, when using Docker ===
 </translate>
@@ Line 705: / Line 721: @@
 <translate>
-<!--T:96-->
-== References ==
+== References == <!--T:96-->
 </translate>

Docker: Difference between revisions