Support for docker rootless#168
Conversation
roberth
left a comment
roberth
left a comment
There was a problem hiding this comment.
Cool project!
I've made a few comments to help avoid unnecessary incompatibilities when combining configurations.
The general idea is that rootless projects can make choices that are independent of global system level configuration, so that means that we should make more changes at the project level and fewer at the system level.
It should be possible to extend the existing machine in tests/nixos-virtualization-arion-test/test.nix after making some of the changes.
| }; | ||
| in | ||
| if cfg.backend == "docker-rootless" then | ||
| { _systemd.user.services."arion-${name}" = service; } |
There was a problem hiding this comment.
Interesting. What is your use case for this?
I was expecting a system systemd service that runs entirely as a non-root user.
Both user and system systemd services seem like valid modes; even simultaneously.
There was a problem hiding this comment.
Yeah, somehow I thought docker and docker-rootless are mutual exclusive. I will change it to support both simultaneously
There was a problem hiding this comment.
Wait, I am a little bit confused. Would you like to start all services as root services?
I think I would start rootless containers as user services, and normal containers as system services.
There was a problem hiding this comment.
Running a system service as a (system) user with rootless containers is a valid thing to do. It avoids potential confused deputy problems in the docker daemon.
You wouldn't be able to remove as many capabilities from the systemd unit as a non-containerized solution would, but presumably the rootless container runtime still removes those capabilities.
There was a problem hiding this comment.
Which kind of "deputy problems" do you mean?
I rather think this could create problems on multi-user setups, because the DOCKER_HOST socket is individual to every user.
But don't get me wrong; it certainly is your thing to decide.
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
|
Is there any chance this gets merged? I'd love for rootless docker to be a thing in arion. |
3 participants
First, I did not see any contribution guide, therefore I am just opening this PR. I hope that's ok.
Since version 22.05 NixOS has support for rootless docker (manual, docs).
Therefore, I want to add support for it to this great project.
This is currently not working, yet. But I do not know enough about the internals of arion to fix it.
I get some weird docker error; something about certificates (please try it out and see for yourselves).
Also, I am not sure if adding the
DOCKER_HOSTvariable is necessary or if there is a better way (For me the optiondocker.rootless.setSocketVariableseems to not work)I am sorry that I cannot be of more help here.
I hope this PR is welcome and is a starting point to bring rootless docker support to this project.