Docker: Difference between revisions

Line 247:

Rootless Docker lets you run the Docker daemon as a non-root user for improved security. ~~Set~~ the ~~<code>rootless</code>~~ option ~~[[#Advanced~~|~~as shown above]]~~. ~~The <code>~~setSocketVariable~~</code> option adds~~ the <code>DOCKER_HOST</code> variable ~~pointing~~ to ~~your~~ rootless Docker instance.

[https://docs.docker.com/engine/security/rootless/ Rootless Docker] lets you run the Docker daemon as a non-root user for improved security. To do so, enable {{nixos:option|virtualisation.docker.rootless}}. This activates the user-level systemd Docker service. Additionally, the option {{nixos:option|virtualisation.docker.rootless.setSocketVariable|setSocketVariable}} configures the <code>DOCKER_HOST</code> environment variable to point to the rootless Docker instance.

</translate>

<~~translate~~>

~~~~

virtualisation.docker = {

~~After enabling~~ rootless ~~mode,~~ Docker ~~can be started with:~~

# Consider disabling the system wide Docker daemon

~~</translate>~~

enable = false;

~~<syntaxhighlight lang~~="~~bash~~">

~~$ systemctl~~ -~~-user enable --now docker~~

rootless = {

enable = true;

setSocketVariable = true;

# Optionally customize rootless Docker daemon settings

daemon.settings = {

dns = [ "1.1.1.1" "8.8.8.8" ];

registry-mirrors = [ "https://mirror.gcr.io" ];

};

</syntaxhighlight>

~~This creates the 'docker.service' file which~~ is required to ~~start Docker~~. ~~Note that~~ the ~~service will not start at boot by this command. You will have to~~ set ~~it up~~ in ~~your NixOS configuration. Now~~ the following ~~command will work~~:

A system reboot is required for these changes to take effect. Alternatively, the environment variable can be set manually in the current shell session, and the user Docker service can be started with the following commands:

</translate>

$ export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock

$ systemctl --user start docker

</syntaxhighlight>

Line 268:

Line 279:

~~Check its~~ status ~~with~~:

To verify the status of the rootless Docker service:

</translate>

$ systemctl --user status docker

</syntaxhighlight>

To confirm that Docker is running in rootless mode:

$ docker info -f "{{println .SecurityOptions}}" | grep rootless

</syntaxhighlight>

=== Creating images with Nix ===

</translate>

@@ Line 247: / Line 247: @@
 <translate>
 <!--T:37-->
-Rootless Docker lets you run the Docker daemon as a non-root user for improved security. Set the <code>rootless</code> option [[#Advanced|as shown above]]. The <code>setSocketVariable</code> option adds the <code>DOCKER_HOST</code> variable pointing to your rootless Docker instance.
+[https://docs.docker.com/engine/security/rootless/ Rootless Docker] lets you run the Docker daemon as a non-root user for improved security. To do so, enable {{nixos:option|virtualisation.docker.rootless}}. This activates the user-level systemd Docker service. Additionally, the option {{nixos:option|virtualisation.docker.rootless.setSocketVariable|setSocketVariable}} configures the <code>DOCKER_HOST</code> environment variable to point to the rootless Docker instance.
 </translate>
-<translate>
+<syntaxhighlight lang="nix">
-<!--T:38-->
+virtualisation.docker = {
-After enabling rootless mode, Docker can be started with:
+  # Consider disabling the system wide Docker daemon
-</translate>
+  enable = false;
-<syntaxhighlight lang="bash">
-$ systemctl --user enable --now docker
+  rootless = {
+    enable = true;
+    setSocketVariable = true;
+    # Optionally customize rootless Docker daemon settings
+    daemon.settings = {
+      dns = [ "1.1.1.1" "8.8.8.8" ];
+      registry-mirrors = [ "https://mirror.gcr.io" ];
+    };
+  };
+};
 </syntaxhighlight>
 <translate>
 <!--T:39-->
-This creates the 'docker.service' file which is required to start Docker. Note that the service will not start at boot by this command. You will have to set it up in your NixOS configuration. Now the following command will work:
+A system reboot is required for these changes to take effect. Alternatively, the environment variable can be set manually in the current shell session, and the user Docker service can be started with the following commands:
 </translate>
-<syntaxhighlight lang="bash">
+<syntaxhighlight lang="console">
+$ export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock
 $ systemctl --user start docker
 </syntaxhighlight>
@@ Line 268: / Line 279: @@
 <translate>
 <!--T:40-->
-Check its status with:
+To verify the status of the rootless Docker service:
 </translate>
-<syntaxhighlight lang="bash">
+<syntaxhighlight lang="console">
 $ systemctl --user status docker
 </syntaxhighlight>
+To confirm that Docker is running in rootless mode:
+<syntaxhighlight lang="console">
+$ docker info -f "{{println .SecurityOptions}}" | grep rootless
+</syntaxhighlight>
 <translate>
 === Creating images with Nix === <!--T:41-->
 </translate>