Docker: Difference between revisions

← Older edit

VisualWikitext

@@ Line 247: / Line 247: @@
 <translate>
 <!--T:37-->
-Rootless Docker lets you run the Docker daemon as a non-root user for improved security. Set the <code>rootless</code> option [[#Advanced|as shown above]]. The <code>setSocketVariable</code> option adds the <code>DOCKER_HOST</code> variable pointing to your rootless Docker instance.
+[https://docs.docker.com/engine/security/rootless/ Rootless Docker] lets you run the Docker daemon as a non-root user for improved security. To do so, enable {{nixos:option|virtualisation.docker.rootless}}. This activates the user-level systemd Docker service. Additionally, the option {{nixos:option|virtualisation.docker.rootless.setSocketVariable|setSocketVariable}} configures the <code>DOCKER_HOST</code> environment variable to point to the rootless Docker instance.
 </translate>
-<translate>
+<syntaxhighlight lang="nix">
-<!--T:38-->
+virtualisation.docker = {
-After enabling rootless mode, Docker can be started with:
+  # Consider disabling the system wide Docker daemon
-</translate>
+  enable = false;
-<syntaxhighlight lang="bash">
-$ systemctl --user enable --now docker
+  rootless = {
+    enable = true;
+    setSocketVariable = true;
+    # Optionally customize rootless Docker daemon settings
+    daemon.settings = {
+      dns = [ "1.1.1.1" "8.8.8.8" ];
+      registry-mirrors = [ "https://mirror.gcr.io" ];
+    };
+  };
+};
 </syntaxhighlight>
 <translate>
 <!--T:39-->
-This creates the 'docker.service' file which is required to start Docker. Note that the service will not start at boot by this command. You will have to set it up in your NixOS configuration. Now the following command will work:
+A system reboot is required for these changes to take effect. Alternatively, the environment variable can be set manually in the current shell session, and the user Docker service can be started with the following commands:
 </translate>
-<syntaxhighlight lang="bash">
+<syntaxhighlight lang="console">
+$ export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock
 $ systemctl --user start docker
 </syntaxhighlight>
+{{note|User services do not persist after logging out by default. This will cause any Docker containers to stop if a user logs out. Set option {{nixos:option|users.users.*.linger|users.users.<name>.linger}} to true for Docker containers to persist. See [[Systemd/User Services#Keeping user services running after logout]] for more details.}}
 <translate>
 <!--T:40-->
-Check its status with:
+To verify the status of the rootless Docker service:
 </translate>
-<syntaxhighlight lang="bash">
+<syntaxhighlight lang="console">
 $ systemctl --user status docker
+</syntaxhighlight>
+To confirm that Docker is running in rootless mode:
+<syntaxhighlight lang="console">
+$ docker info -f "{{println .SecurityOptions}}" | grep rootless
+</syntaxhighlight>
+=== Using Privileged Ports for Rootless Docker ===
+Rootless containers are not able to bind ports from 0 to 1023 as such port can only be used by privileged users.  This problem can be solved by using port forwarding.
+Assume you'd like a rootless container to make use of ports 53 (DNS; TPC and UDP) and 80 (web; TCP).  We may force the container to use port 8000 while the firewall is instructed for forward traffic from port 80 to 8000.  Same logic applies for port 53.  Refer to the following example:<syntaxhighlight lang="nixos"># Firewall
+networking.firewall = {
+  enable = true;
+  allowedTCPPorts = [ 80 8000 53 5300 ];
+  allowedUDPPorts = [ 53 5300 ];
+};
+boot.kernel.sysctl = {
+  "net.ipv4.conf.eth0.forwarding" = 1;    # enable port forwarding
+};
+networking = {
+  firewall.extraCommands = ''
+    iptables -A PREROUTING -t nat -i eth0 -p TCP --dport 80 -j REDIRECT --to-port 8000
+    iptables -A PREROUTING -t nat -i eth0 -p TCP --dport 53 -j REDIRECT --to-port 5300
+    iptables -A PREROUTING -t nat -i eth0 -p UDP --dport 53 -j REDIRECT --to-port 5300
+  '';
+};</syntaxhighlight>Whilst the docker-compose.yaml might look like this:<syntaxhighlight lang="dockerfile">
+services:
+  myserver:
+    image: ...
+    restart: always
+    ports:
+      - "5300:53/tcp"
+      - "5300:53/udp"
+      - "8000:80"
 </syntaxhighlight>
 <translate>
 === Creating images with Nix === <!--T:41-->
 </translate>
@@ Line 338: / Line 389: @@
 <translate>
 <!--T:48-->
-An alternative, if using [[flakes]], is to do <code>created = builtins.substring 0 8 self.lastModifiedDate</code>, which uses the commit date, and is therefore reproducible.
+An alternative, if using [[flakes]], is to do <code>created = "@" + builtins.toString self.lastModified</code>, which uses the commit date, and is therefore reproducible.
 </translate>
 <translate>
 ==== Calculating the sha256 for a pulled Docker image ==== <!--T:49-->
 </translate>
@@ Line 558: / Line 610: @@
 <translate>
 <!--T:77-->
-to provide access to <code>/var/run/mysqld/mysqld.sock</code>
+to provide access to <code>/var/run/mysqld/mysqld.sock</code>. Sadly, this means you'll have to restart the container when /var/run/mysqld is replaced, e.g. on an upgrade.
 </translate>
@@ Line 580: / Line 633: @@
 <translate>
-=== Common issues === <!--T:82-->
+=== Cannot connect to the Docker daemon === <!--T:83-->
-</translate>
-<translate>
-==== Cannot connect to the Docker daemon ==== <!--T:83-->
 </translate>
@@ Line 593: / Line 642: @@
 <translate>
 <!--T:85-->
-- The Docker service is running: `systemctl status docker`
+- The Docker service is running: <code>systemctl status docker</code>
 </translate>
 <translate>
 <!--T:86-->
-- Your user is in the docker group: `groups | grep docker`
+- Your user is in the docker [[User management#Adding User to a group|group]]: <code>groups | grep docker</code>
 </translate>
 <translate>
@@ Line 605: / Line 654: @@
 <translate>
-==== Storage space issues ==== <!--T:88-->
+=== Storage space issues === <!--T:88-->
 </translate>
@@ Line 626: / Line 675: @@
 <translate>
-==== Network conflicts ==== <!--T:90-->
+=== Network conflicts === <!--T:90-->
 </translate>
@@ Line 671: / Line 720: @@
 Restarting the container or Docker might be required.
 </translate>
+=== NVIDIA Docker Containers ===
+If attempting to pass your nvidia gpu through to docker container(s), you will need to install <code>nvidia-container-toolkit</code> and enable cdi.
+{{File|3={
+  virtualisation.docker.enable = true;
+  hardware.nvidia-container-toolkit.enable = true;
+  # Regular Docker
+  virtualisation.docker.daemon.settings.features.cdi = true;
+  # If using Rootless Docker
+  # virtualisation.docker.rootless.daemon.settings.features.cdi = true;
+}|name=configuration.nix|lang=nix}}
+You may also need to adjust your docker compose file to use cdi instead of the nvidia driver.
+{{File|3=services:
+  ollama:
+    image: ollama/ollama
+    volumes:
+      - ollama:/root/.ollama
+    ports:
+      - 11434:11434
+    deploy:
+      resources:
+        reservations:
+          devices:
+            # Go from this:
+            # - driver: nvidia
+            #   count: all
+            #   capabilities: [gpu]
+            # To this:
+            - driver: cdi
+              capabilities: [gpu]
+              device_ids:
+                - nvidia.com/gpu=all
+volumes:
+  ollama: {}|name=compose.yml|lang=yaml}}
 <translate>
 == References == <!--T:96-->
 </translate>
 <references/>
+== See also ==
+*[https://nixcademy.com/posts/auto-update-containers/ Run and Auto-Update Docker Containers on NixOS, Nixcademy]
 [[Category:Applications]]