1. Home
  2. How to setup Rootless Docker on top of BCM10

How to setup Rootless Docker on top of BCM10

Rootless mode allows running the Docker daemon and containers as a non-root user to mitigate potential vulnerabilities in the docker daemon and the container runtime.

Rootless mode does not require root privileges even during the installation of the Docker daemon, as long as a set of prerequisites are met.

This KB article will guide you through the process of installing and using rootless Docker and allow non-root users to run Docker instances and build custom Docker images.

 

The following steps has been tested on BCM10 with Ubuntu 22.04

1. Clone the current software image:

cmsh
softwareimage
clone default-image rootless-image
commit

2. Install uidmap and dbus-user-session into the rootless-image

cm-chroot /cm/images/rootless-image/
apt update && apt install uidmap systemd-container -y

3. Add the users who are allowed to run rootless docker into /etc/subuid and /etc/subgid (In this example, we are using the user “cmsupport”)

cm-chroot /cm/images/rootless-image/
echo "cmsupport:100000:65536" >> /etc/subuid
echo "cmsupport:100000:65536" >> /etc/subgid

4. Set the new software image to the nodes’ category

cmsh
category use dgx
set setfowareimage rootless-image
commit

5. Reboot the compute nodes

6. Start docker as a user

NOTE: ssh into the compute node as a regular user

cmsupport@node001:~$ wget https://get.docker.com/rootless
cmsupport@node001:~$ chmod 755 rootless
cmsupport@node001:~$ ./rootless
[...]
[INFO] Creating /var/tmp/cmsupport/.config/systemd/user/docker.service
[INFO] starting systemd service docker.service
+ systemctl --user start docker.service
+ sleep 3
+ systemctl --user --no-pager --full status docker.service

docker.service - Docker Application Container Engine (Rootless)
     Loaded: loaded (/var/tmp/cmsupport/.config/systemd/user/docker.service; disabled; vendor preset: enabled)
     Active: active (running) since Thu 2024-12-05 17:18:16 CET; 3s ago
       Docs: https://docs.docker.com/go/rootless/
   Main PID: 3882 (rootlesskit)
      Tasks: 37
     Memory: 39.1M
[...]
reated symlink /var/tmp/cmsupport/.config/systemd/user/default.target.wants/docker.service  /var/tmp/cmsupport/.config/systemd/user/docker.service.

[INFO] Installed docker.service successfully. 
[INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service`
[INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger cmsupport`
[INFO] Creating CLI context "rootless"

Successfully created context "rootless"

[INFO] Using CLI context "rootless"
Current context is now "rootless"

[INFO] Make sure the following environment variable(s) are set (or add them to ~/.bashrc):
export PATH=/var/tmp/cmsupport/bin:$PATH

[INFO] Some applications may require the following environment variable too:
export DOCKER_HOST=unix:///run/user/1000/docker.sock

7. Add the following lines in the .bashrc of the user’s home directory

export PATH=/home/cmsupport/bin:$PATH
export DOCKER_HOST=unix:///run/user/1000/docker.sock
export DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus

8. Source .bashrc (or logout then log back in)

cmsupport@node001:~$ . .bashrc

9. In case the $HOME is on an NFS or Lustre, then change the  “Docker Root Dir” to be outside of the NFS on a local drive:

cmsupport@node001:~$ docker info | grep Root

 Docker Root Dir: /home/cmsupport

cmsupport@node001:~$ mkdir ~/.config/docker 
cmsupport@node001:~$ cat ~/.config/docker/daemon.json
{
    "data-root": "/var/tmp/cmsupport"
}

10. Stop/start docker in the user session to make sure that the changes in step 9 are reflected:

cmsupport@node001:~$ systemctl --user stop docker
cmsupport@node001:~$ systemctl --user start docker

11. Try to build the an image

cmsupport@node001:~$ git clone https://github.com/docker/getting-started-todo-app
cmsupport@node001:~$ cd getting-started-todo-app/
cmsupport@node001:~/getting-started-todo-app$ docker build .
[...]
20: Pulling from library/node
fdf894e782a2: Pull complete
5bd71677db44: Pull complete
551df7f94f9c: Pull complete
ce82e98d553d: Pull complete
28c7f8675398: Pull complete
cd36ddf19b49: Pull complete
24f32f277913: Pull complete
5dd152761f34: Pull complete
[...]

12. Check the images

cmsupport@node001:~/getting-started-todo-app$ docker images
REPOSITORY   TAG       IMAGE ID       CREATED         SIZE
<none>       <none>    58140c7bda64   5 seconds ago   1.1GB
node         20        6a5391c597b0   2 weeks ago     1.1GB

13. Using rootless docker with Slurm

13.1 allocate a node using salloc

cmsupport@b100-u2204-12-06:~$ salloc -N 1 -w node001

13.2 ssh into the allocated node

cmsupport@b100-u2204-12-06:~$ ssh node001

13.3 check if rootless docker is working

cmsupport@node001:~$ docker images
REPOSITORY   TAG       IMAGE ID       CREATED         SIZE
<none>       <none>    32c436dc077a   2 minutes ago   1.1GB
node         20        6a5391c597b0   2 weeks ago     1.1GB
Updated on December 7, 2024