Official NixOS Wiki

Docker: Difference between revisions

← Older editNewer edit →
Layer-09 (talk | contribs)
175 edits
VisualWikitext
Pigs (talk | contribs)
275 edits
m Rootless Docker: link to the configuration of enabling rootless mode
Layer-09 (talk | contribs)
175 edits
m Translation tags
Line 1: Line 1:
<languages/>
<languages/>
<translate>
<!--T:1-->
[https://www.docker.com/ Docker] is a platform for building, packaging, and distributing applications inside containers. Containers bundle an application's code, configurations, and dependencies into a single object that runs consistently across different computing environments. Docker works well with NixOS through the virtualization module.<ref>https://www.docker.com/resources/what-container/</ref>
[https://www.docker.com/ Docker] is a platform for building, packaging, and distributing applications inside containers. Containers bundle an application's code, configurations, and dependencies into a single object that runs consistently across different computing environments. Docker works well with NixOS through the virtualization module.<ref>https://www.docker.com/resources/what-container/</ref>
</translate>


== Installation ==
== Installation ==
Line 6: Line 9:
==== Shell ====
==== Shell ====


<translate>
<!--T:2-->
To temporarily use Docker in a shell environment, you can run:
To temporarily use Docker in a shell environment, you can run:
</translate>
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
nix-shell -p docker
nix-shell -p docker
</syntaxhighlight>
</syntaxhighlight>
 
<translate>
<!--T:3-->
This will provide a shell with Docker CLI available, but note that the Docker daemon will not be running. For full functionality, you'll need a system-level installation.
This will provide a shell with Docker CLI available, but note that the Docker daemon will not be running. For full functionality, you'll need a system-level installation.
</translate>


==== System setup ====
==== System setup ====


<translate>
<!--T:4-->
To install Docker on NixOS, add the virtualization.docker module to your system configuration at <code>/etc/nixos/configuration.nix</code>:<ref>https://nixos.org/manual/nixos/stable/options#opt-virtualisation.docker.enable</ref>
To install Docker on NixOS, add the virtualization.docker module to your system configuration at <code>/etc/nixos/configuration.nix</code>:<ref>https://nixos.org/manual/nixos/stable/options#opt-virtualisation.docker.enable</ref>
</translate>
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
# In /etc/nixos/configuration.nix
# In /etc/nixos/configuration.nix
Line 36: Line 47:
==== Basic ====
==== Basic ====


<translate>
<!--T:5-->
The basic Docker configuration on NixOS includes several options you can set in your <code>configuration.nix</code> file:
The basic Docker configuration on NixOS includes several options you can set in your <code>configuration.nix</code> file:
</translate>
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
virtualisation.docker = {
virtualisation.docker = {
Line 55: Line 69:
==== Advanced ====
==== Advanced ====


<translate>
<!--T:6-->
For more advanced configuration, you can customize Docker daemon options and networking:
For more advanced configuration, you can customize Docker daemon options and networking:
</translate>
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
virtualisation.docker = {
virtualisation.docker = {
Line 73: Line 90:
};
};
</syntaxhighlight>
</syntaxhighlight>


== Docker Compose ==
== Docker Compose ==
<translate>
<!--T:7-->
Currently, there are two options to use Docker Compose with NixOS: Arion or Compose2Nix.
Currently, there are two options to use Docker Compose with NixOS: Arion or Compose2Nix.
</translate>


With Arion, you can specify most Docker Compose options in Nix Syntax, and Arion will generate a <code>docker-compose.yml</code> file internally. The result is a systemd service that starts and stops the container.  
With Arion, you can specify most Docker Compose options in Nix Syntax, and Arion will generate a <code>docker-compose.yml</code> file internally. The result is a systemd service that starts and stops the container.  
Line 83: Line 102:


=== Arion ===
=== Arion ===
<translate>
<!--T:8-->
[https://docs.hercules-ci.com/arion/ Arion] is created for running Nix-based projects in Docker Compose. It uses the NixOS module system for configuration, it can bypass <code>docker build</code> and lets you use dockerTools or use the store directly in the containers. The images/containers can be typical dockerTools style images or full NixOS configs.
[https://docs.hercules-ci.com/arion/ Arion] is created for running Nix-based projects in Docker Compose. It uses the NixOS module system for configuration, it can bypass <code>docker build</code> and lets you use dockerTools or use the store directly in the containers. The images/containers can be typical dockerTools style images or full NixOS configs.
</translate>


To use Arion, you first need to add its module to your NixOS configuration:
To use Arion, you first need to add its module to your NixOS configuration:
Line 112: Line 134:


=== Compose2Nix ===
=== Compose2Nix ===
<translate>
<!--T:9-->
With [https://github.com/aksiksi/compose2nix compose2nix] you can generate [https://search.nixos.org/options?query=virtualisation.oci-containers oci-containers] config from a <code>docker-compose.yaml</code>.  
With [https://github.com/aksiksi/compose2nix compose2nix] you can generate [https://search.nixos.org/options?query=virtualisation.oci-containers oci-containers] config from a <code>docker-compose.yaml</code>.  
</translate>


==== Install ====
==== Install ====
To use <code>compose2nix</code> with <code>nix-shell</code> you can use<syntaxhighlight lang="bash">
<translate>
<!--T:10-->
To use <code>compose2nix</code> with <code>nix-shell</code> you can use
</translate>
<syntaxhighlight lang="bash">
nix shell github:aksiksi/compose2nix
nix shell github:aksiksi/compose2nix
compose2nix -h
compose2nix -h
</syntaxhighlight>To install <code>compose2nix</code> to NixOS, add the repo to your flake inputs<syntaxhighlight lang="nix">
</syntaxhighlight>
<translate>
<!--T:11-->
To install <code>compose2nix</code> to NixOS, add the repo to your flake inputs
</translate>
<syntaxhighlight lang="nix">
compose2nix = {
compose2nix = {
   url = "github:aksiksi/compose2nix";
   url = "github:aksiksi/compose2nix";
   inputs.nixpkgs.follows = "nixpkgs";
   inputs.nixpkgs.follows = "nixpkgs";
};
};
</syntaxhighlight>and add the package to your configuration<syntaxhighlight lang="nix">
</syntaxhighlight>
<translate>
<!--T:12-->
and add the package to your configuration
</translate>
<syntaxhighlight lang="nix">
environment.systemPackages = [
environment.systemPackages = [
   inputs.compose2nix.packages.x86_64-linux.default
   inputs.compose2nix.packages.x86_64-linux.default
Line 130: Line 169:


==== Usage ====
==== Usage ====
<translate>
<!--T:13-->
After you have installed <code>compose2nix</code>, you can run <code>compose2nix</code> in the directory with your <code>docker-compose.yml</code>, which will output a <code>docker-compose.nix</code>.
After you have installed <code>compose2nix</code>, you can run <code>compose2nix</code> in the directory with your <code>docker-compose.yml</code>, which will output a <code>docker-compose.nix</code>.
</translate>


Alternatively, you can specify the input and output files with the following flags<syntaxhighlight lang="bash">
Alternatively, you can specify the input and output files with the following flags
<syntaxhighlight lang="bash">
compose2nix -inputs input.yml -output output.nix -runtime docker
compose2nix -inputs input.yml -output output.nix -runtime docker
</syntaxhighlight>The <code>-runtime</code> flag specifies the runtime. Here, we select <code>docker</code>. Options are <code>podman</code> and <code>docker</code>. The default is <code>podman</code>
</syntaxhighlight>
 
<translate>
 
<!--T:14-->
The <code>-runtime</code> flag specifies the runtime. Here, we select <code>docker</code>. Options are <code>podman</code> and <code>docker</code>. The default is <code>podman</code>
</translate>


== Tips and tricks ==
== Tips and tricks ==
Line 142: Line 187:
=== Docker on btrfs ===
=== Docker on btrfs ===


<translate>
<!--T:15-->
If you use the [[btrfs]] file system, you might need to set the {{nixos:option|virtualisation.docker.storageDriver|storageDriver}} option:
If you use the [[btrfs]] file system, you might need to set the {{nixos:option|virtualisation.docker.storageDriver|storageDriver}} option:
</translate>
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
virtualisation.docker.storageDriver = "btrfs";
virtualisation.docker.storageDriver = "btrfs";
Line 149: Line 197:
=== Rootless Docker ===
=== Rootless Docker ===


<translate>
<!--T:16-->
Rootless Docker lets you run the Docker daemon as a non-root user for improved security. Set the <code>rootless</code> option [[#Advanced|as shown above]]. The <code>setSocketVariable</code> option adds the <code>DOCKER_HOST</code> variable pointing to your rootless Docker instance.
Rootless Docker lets you run the Docker daemon as a non-root user for improved security. Set the <code>rootless</code> option [[#Advanced|as shown above]]. The <code>setSocketVariable</code> option adds the <code>DOCKER_HOST</code> variable pointing to your rootless Docker instance.
</translate>


After enabling rootless mode, Docker can be started with:
After enabling rootless mode, Docker can be started with:
Line 169: Line 220:


==== Building a docker image with nixpkgs ====
==== Building a docker image with nixpkgs ====
<translate>
<!--T:17-->
There is an entry for [https://nixos.org/nixpkgs/manual/#sec-pkgs-dockerTools dockerTools] in the Nixpkgs manual for reference. In the linked page, they give the following example config:
There is an entry for [https://nixos.org/nixpkgs/manual/#sec-pkgs-dockerTools dockerTools] in the Nixpkgs manual for reference. In the linked page, they give the following example config:
</translate>


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
Line 208: Line 262:
==== Reproducible image dates ====
==== Reproducible image dates ====


<translate>
<!--T:18-->
The manual advises against using <code>created = "now"</code>, as that prevents images from being reproducible.
The manual advises against using <code>created = "now"</code>, as that prevents images from being reproducible.
</translate>


An alternative, if using [[flakes]], is to do <code>created = builtins.substring 0 8 self.lastModifiedDate</code>, which uses the commit date, and is therefore reproducible.
An alternative, if using [[flakes]], is to do <code>created = builtins.substring 0 8 self.lastModifiedDate</code>, which uses the commit date, and is therefore reproducible.
Line 214: Line 271:
==== Calculating the sha256 for a pulled Docker image ====
==== Calculating the sha256 for a pulled Docker image ====


<translate>
<!--T:19-->
The <code>sha256</code> argument of the <code>dockerTools.pullImage</code> function is the checksum of the archive generated by Skopeo. Since the archive contains the name and the tag of the image, Skopeo arguments used to fetch the image have to be identical to those used by the <code>dockerTools.pullImage</code> function.
The <code>sha256</code> argument of the <code>dockerTools.pullImage</code> function is the checksum of the archive generated by Skopeo. Since the archive contains the name and the tag of the image, Skopeo arguments used to fetch the image have to be identical to those used by the <code>dockerTools.pullImage</code> function.
</translate>


For instance, the SHA of the following image
For instance, the SHA of the following image
Line 241: Line 301:
==== Directly Using Nix in Image Layers ====
==== Directly Using Nix in Image Layers ====


<translate>
<!--T:20-->
Instead of copying Nix packages into Docker image layers, Docker can be configured to directly utilize the <code>nix-store</code> by integrating with [https://github.com/pdtpartners/nix-snapshotter nix-snapshotter].
Instead of copying Nix packages into Docker image layers, Docker can be configured to directly utilize the <code>nix-store</code> by integrating with [https://github.com/pdtpartners/nix-snapshotter nix-snapshotter].
</translate>


This will significantly reduce data duplication and the time it takes to pull images.
This will significantly reduce data duplication and the time it takes to pull images.
Line 247: Line 310:
=== Using Podman as an alternative ===
=== Using Podman as an alternative ===


Podman is a daemonless container engine that can run Docker containers without elevated privileges. It can be used as a drop-in replacement for Docker in many cases:<ref>https://podman.io/</ref>
<translate>
<!--T:21-->
Podman is a daemonless container engine that can run Docker containers without elevated privileges. It can be used as a drop-in replacement for Docker in many cases:
</translate>
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
# Enable Podman in configuration.nix
# Enable Podman in configuration.nix
Line 264: Line 330:
=== Changing Docker Daemon's Data Root ===
=== Changing Docker Daemon's Data Root ===


<translate>
<!--T:22-->
By default, the Docker daemon stores images, containers, and build context on the root file system. To use a different storage location, specify a new <code>data-root</code> in your configuration:
By default, the Docker daemon stores images, containers, and build context on the root file system. To use a different storage location, specify a new <code>data-root</code> in your configuration:
</translate>
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
virtualisation.docker.daemon.settings = {
virtualisation.docker.daemon.settings = {
Line 273: Line 342:
=== Docker Containers as systemd Services ===
=== Docker Containers as systemd Services ===


<translate>
<!--T:23-->
You can run Docker containers as systemd services using the <code>oci-containers</code> module:
You can run Docker containers as systemd services using the <code>oci-containers</code> module:
</translate>
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
virtualisation.oci-containers = {
virtualisation.oci-containers = {
Line 310: Line 382:


==== Usage ====
==== Usage ====
<translate>
<!--T:24-->
Unless otherwise specified, NixOS uses Podman to run OCI containers. Note that these are '''user-specific''', so running commands with or without sudo can change your output.
Unless otherwise specified, NixOS uses Podman to run OCI containers. Note that these are '''user-specific''', so running commands with or without sudo can change your output.
</translate>


List containers<syntaxhighlight lang="console">
List containers
<syntaxhighlight lang="console">
# podman ps
# podman ps
</syntaxhighlight>Update image<syntaxhighlight lang="console">
</syntaxhighlight>
Update image
<syntaxhighlight lang="console">
# podman restart hackagecompare
# podman restart hackagecompare
</syntaxhighlight>List images<syntaxhighlight lang="console">
</syntaxhighlight>
List images
<syntaxhighlight lang="console">
# podman ls
# podman ls
</syntaxhighlight>Remove container<syntaxhighlight lang="console">
</syntaxhighlight>
Remove container
<syntaxhighlight lang="console">
# podman rm hackagecompare
# podman rm hackagecompare
</syntaxhighlight>Remove image<syntaxhighlight lang="console">
</syntaxhighlight>
Remove image
<syntaxhighlight lang="console">
# podman rmi c0d9a5f58afe
# podman rmi c0d9a5f58afe
</syntaxhighlight>Update image<syntaxhighlight lang="console">
</syntaxhighlight>
Update image
<syntaxhighlight lang="console">
# podman pull chrissound/hackagecomparestats-webserver:latest
# podman pull chrissound/hackagecomparestats-webserver:latest
</syntaxhighlight>Run interactive shell in running container<syntaxhighlight lang="console">
</syntaxhighlight>
Run interactive shell in running container
<syntaxhighlight lang="console">
# podman exec -ti $ContainerId /bin/sh
# podman exec -ti $ContainerId /bin/sh
</syntaxhighlight>
</syntaxhighlight>


===== Exposing ports from the host =====
===== Exposing ports from the host =====
<translate>
<!--T:25-->
If you have a service running on the host that you want to connect to from the container, you could try connecting to the hostname <code>host.containers.internal</code> (or <code>host.docker.internal</code> for podman), but this might require additional networking setup
If you have a service running on the host that you want to connect to from the container, you could try connecting to the hostname <code>host.containers.internal</code> (or <code>host.docker.internal</code> for podman), but this might require additional networking setup
</translate>


===== Exposing sockets from the host =====
===== Exposing sockets from the host =====
<translate>
<!--T:26-->
If you have a service running on the host that exposes a socket, such as mariadb, you can also expose that socket to the container instead. You'll want to expose the folder the socket is in as a volume - so:
If you have a service running on the host that exposes a socket, such as mariadb, you can also expose that socket to the container instead. You'll want to expose the folder the socket is in as a volume - so:
 
</translate>
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
       volumes = [
       volumes = [
Line 339: Line 432:
       ];
       ];
</syntaxhighlight>
</syntaxhighlight>
 
<translate>
<!--T:27-->
to provide access to <code>/var/run/mysqld/mysqld.sock</code>
to provide access to <code>/var/run/mysqld/mysqld.sock</code>
</translate>


=== Running the docker daemon from nix-the-package-manager - not NixOS ===
=== Running the docker daemon from nix-the-package-manager - not NixOS ===


<translate>
<!--T:28-->
This is not supported. You're better off installing the docker daemon [https://docs.docker.com/engine/install/ "the normal non-nix way"].
This is not supported. You're better off installing the docker daemon [https://docs.docker.com/engine/install/ "the normal non-nix way"].
</translate>


See the discourse discussion: [https://discourse.nixos.org/t/how-to-run-docker-daemon-from-nix-not-nixos/43413 How to run docker daemon from nix (not NixOS)] for more.
See the discourse discussion: [https://discourse.nixos.org/t/how-to-run-docker-daemon-from-nix-not-nixos/43413 How to run docker daemon from nix (not NixOS)] for more.
Line 354: Line 452:
==== Cannot connect to the Docker daemon ====
==== Cannot connect to the Docker daemon ====


<translate>
<!--T:29-->
If you encounter errors connecting to the Docker daemon, check that:
If you encounter errors connecting to the Docker daemon, check that:
- The Docker service is running: `systemctl status docker`
- The Docker service is running: `systemctl status docker`
- Your user is in the docker group: `groups | grep docker`
- Your user is in the docker group: `groups | grep docker`
- You've logged out and back in after adding your user to the docker group
- You've logged out and back in after adding your user to the docker group
</translate>


==== Storage space issues ====
==== Storage space issues ====


<translate>
<!--T:30-->
When Docker uses too much disk space:
When Docker uses too much disk space:
</translate>
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
# Remove unused containers, networks, images, and volumes
# Remove unused containers, networks, images, and volumes
Line 377: Line 481:
==== Network conflicts ====
==== Network conflicts ====


<translate>
<!--T:31-->
Docker's default subnet (`172.17.0.0/16`) might conflict with your existing network. Configure a different subnet in your `configuration.nix`:
Docker's default subnet (`172.17.0.0/16`) might conflict with your existing network. Configure a different subnet in your `configuration.nix`:
</translate>
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
virtualisation.docker.daemon.settings = {
virtualisation.docker.daemon.settings = {
Line 391: Line 498:
=== Cannot connect to public Wi-Fi, when using Docker ===
=== Cannot connect to public Wi-Fi, when using Docker ===


<translate>
<!--T:32-->
When connecting to a public Wi-Fi, where the login page's IP-Address is within the Docker network range, accessing the Internet might not be possible. This has been reported when trying to connect to the WIFIonICE of the Deutsche Bahn (DB). They use the <code>172.18.x.x</code> address range.
When connecting to a public Wi-Fi, where the login page's IP-Address is within the Docker network range, accessing the Internet might not be possible. This has been reported when trying to connect to the WIFIonICE of the Deutsche Bahn (DB). They use the <code>172.18.x.x</code> address range.
</translate>


This can be resolved by changing the default address pool that Docker uses.
This can be resolved by changing the default address pool that Docker uses.
Retrieved from "https://wiki.nixos.org/wiki/Docker"