Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tutoring and Help with RunImage #13

Open
fwn0 opened this issue Jan 11, 2025 · 2 comments
Open

Tutoring and Help with RunImage #13

fwn0 opened this issue Jan 11, 2025 · 2 comments

Comments

@fwn0
Copy link

fwn0 commented Jan 11, 2025

Hello Maxim,
I am already looking forward to the new upcoming runimage 0.40.1, which you are currently preparing (as I see in your github activity).
But now I have a request for you. I don't understand exactly how your fake-systemd works for starting docker. I have installed docker and docker-compose in the runimage with pac, but now I can't figure out how to start the daemon with fake-systemd before rebuild a new runimage-docker. I mean, how do I use the standard command systemctl start docker.service, systemctl enable docker.service in the new runimage-docker?
I also wanted to ask, how should the structure of containers, images and volumes look like? Can docker in runimage then serve the containers, images, etc., only in runimage which are placed on rootfs, overlayfs, or also outside of runimage, e.g. on ~/ri-portable-progs ?
@VHSgunzo
Copy link
Owner

@fwn0
Hi! To fully run docker daemon requires elevated privileges (even for rootless mode). But still I managed to run docker daemon in runimage. Here is a rough order of operations:

Create docker dir:

mkdir docker

Run runimage in overlayfs mode, with sandbox network and with bubblewrap fake root and with bind docker dir:

OVERFS_ID=docker KEEP_OVERFS=1 SANDBOX_NET=1 ./runimage --uid 0 --gid 0 --bind "$PWD/docker" /var/lib/docker bash

Install docker:

# update packages:
runupdate

pac --noconfirm -S docker

Run the docker daemon in the runimage network sandbox on 127.0.0.0.1:1337 :

/usr/bin/dockerd -H tcp://127.0.0.1:1337 --seccomp-profile unconfined --rootless --no-new-privileges &>/dev/null &

And now you can run docker:

DOCKER_HOST=tcp://127.0.0.1:1337 docker run --rm -i -v /dev:/dev alpine:latest cat /etc/os-release

But there are some limitations:

  • I have not yet managed to solve the lchown problem when pull some container images (for example debian:latest)
  • You can't remove the -v /dev:/dev bind or you will get the /dev/pts error
  • Even with the -v /dev:/dev bind there is no way to alocate a full-fledged pseudo terminal or you will get the /dev/console error.

I may need to analyze the dockerd source code (runc, containerd) and apply some tricks to fix these errors (as I already did for runimage-openssh). I would be glad to have help in this endeavor.

Alternatively, you can use udocker as an option. This is not a full-fledged replacement for docker, but it's still not bad either.

@fwn0
Copy link
Author

fwn0 commented Jan 15, 2025

Thank you for your introduction Maxim,

it may not be necessary to install docker or podman. I will now experiment a bit with crun. Maybe it will be much easier to run the docker images, containers, volumes with crun.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fwn0 @VHSgunzo