[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-deployment] 02/02: scripts for installing rootless docker
|
From: |
gnunet |
|
Subject: |
[taler-deployment] 02/02: scripts for installing rootless docker |
|
Date: |
Tue, 30 May 2023 07:29:51 +0200 |
This is an automated email from the git hooks/post-receive script.
dold pushed a commit to branch master
in repository deployment.
commit 2007b9b794e81c99ba90d2f92396333dd51a0b9d
Author: Florian Dold <florian@dold.me>
AuthorDate: Tue May 30 07:29:44 2023 +0200
scripts for installing rootless docker
---
bootstrap-docker/README | 2 +
bootstrap-docker/bootstrap-docker.sh | 7 +
bootstrap-docker/install-plugin-buildx.sh | 7 +
bootstrap-docker/install-plugin-compose.sh | 7 +
bootstrap-docker/install-rootless-docker.sh | 252 ++++++++++++++++++++++++++++
5 files changed, 275 insertions(+)
diff --git a/bootstrap-docker/README b/bootstrap-docker/README
new file mode 100644
index 0000000..85a3e98
--- /dev/null
+++ b/bootstrap-docker/README
@@ -0,0 +1,2 @@
+Scripts to install rootless docker together with docker-compose and buildx
+plugins.
diff --git a/bootstrap-docker/bootstrap-docker.sh
b/bootstrap-docker/bootstrap-docker.sh
new file mode 100644
index 0000000..601e121
--- /dev/null
+++ b/bootstrap-docker/bootstrap-docker.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+set -eu
+
+./install-rootless-docker.sh
+./install-plugin-compose.sh
+./install-plugin-buildx.sh
diff --git a/bootstrap-docker/install-plugin-buildx.sh
b/bootstrap-docker/install-plugin-buildx.sh
new file mode 100644
index 0000000..4b3f4bc
--- /dev/null
+++ b/bootstrap-docker/install-plugin-buildx.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+set -eu
+
+DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker}
+mkdir -p $DOCKER_CONFIG/cli-plugins
+curl -SL
https://github.com/docker/buildx/releases/download/v0.10.5/buildx-v0.10.5.linux-amd64
-o $DOCKER_CONFIG/cli-plugins/docker-buildx
diff --git a/bootstrap-docker/install-plugin-compose.sh
b/bootstrap-docker/install-plugin-compose.sh
new file mode 100644
index 0000000..45d7dcc
--- /dev/null
+++ b/bootstrap-docker/install-plugin-compose.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+set -eu
+
+DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker}
+mkdir -p $DOCKER_CONFIG/cli-plugins
+curl -SL
https://github.com/docker/compose/releases/download/v2.18.1/docker-compose-linux-x86_64
-o $DOCKER_CONFIG/cli-plugins/docker-compose
diff --git a/bootstrap-docker/install-rootless-docker.sh
b/bootstrap-docker/install-rootless-docker.sh
new file mode 100644
index 0000000..c597186
--- /dev/null
+++ b/bootstrap-docker/install-rootless-docker.sh
@@ -0,0 +1,252 @@
+#!/bin/sh
+set -e
+# Docker CE for Linux installation script (Rootless mode)
+#
+# See https://docs.docker.com/go/rootless/ for the
+# installation steps.
+#
+# This script is meant for quick & easy install via:
+# $ curl -fsSL https://get.docker.com/rootless -o get-docker.sh
+# $ sh get-docker.sh
+#
+# NOTE: Make sure to verify the contents of the script
+# you downloaded matches the contents of install.sh
+# located at https://github.com/docker/docker-install
+# before executing.
+#
+# Git commit from https://github.com/docker/docker-install when
+# the script was uploaded (Should only be modified by upload job):
+SCRIPT_COMMIT_SHA=c2de081
+
+# This script should be run with an unprivileged user and install/setup Docker
under $HOME/bin/.
+
+# The channel to install from:
+# * nightly
+# * test
+# * stable
+DEFAULT_CHANNEL_VALUE="stable"
+if [ -z "$CHANNEL" ]; then
+ CHANNEL=$DEFAULT_CHANNEL_VALUE
+fi
+# The latest release is currently hard-coded.
+STABLE_LATEST="24.0.1"
+TEST_LATEST="24.0.1"
+STATIC_RELEASE_URL=
+STATIC_RELEASE_ROOTLESS_URL=
+case "$CHANNEL" in
+ "stable")
+ echo "# Installing stable version ${STABLE_LATEST}"
+
STATIC_RELEASE_URL="https://download.docker.com/linux/static/$CHANNEL/$(uname
-m)/docker-${STABLE_LATEST}.tgz"
+
STATIC_RELEASE_ROOTLESS_URL="https://download.docker.com/linux/static/$CHANNEL/$(uname
-m)/docker-rootless-extras-${STABLE_LATEST}.tgz"
+ ;;
+ "test")
+ echo "# Installing test version ${TEST_LATEST}"
+
STATIC_RELEASE_URL="https://download.docker.com/linux/static/$CHANNEL/$(uname
-m)/docker-${TEST_LATEST}.tgz"
+
STATIC_RELEASE_ROOTLESS_URL="https://download.docker.com/linux/static/$CHANNEL/$(uname
-m)/docker-rootless-extras-${TEST_LATEST}.tgz"
+ ;;
+ "nightly")
+ echo "# Installing nightly"
+ STATIC_RELEASE_URL="https://master.dockerproject.org/linux/$(uname
-m)/docker.tgz"
+
STATIC_RELEASE_ROOTLESS_URL="https://master.dockerproject.org/linux/$(uname
-m)/docker-rootless-extras.tgz"
+ ;;
+ *)
+ >&2 echo "Aborting because of unknown CHANNEL \"$CHANNEL\". Set
\$CHANNEL to either \"stable\", \"test\", or \"nightly\"."; exit 1
+ ;;
+esac
+
+init_vars() {
+ BIN="${DOCKER_BIN:-$HOME/bin}"
+
+ DAEMON=dockerd
+ SYSTEMD=
+ if systemctl --user daemon-reload >/dev/null 2>&1; then
+ SYSTEMD=1
+ fi
+}
+
+checks() {
+ # OS verification: Linux only, point osx/win to helpful locations
+ case "$(uname)" in
+ Linux)
+ ;;
+ *)
+ >&2 echo "Rootless Docker cannot be installed on $(uname)";
exit 1
+ ;;
+ esac
+
+ # User verification: deny running as root (unless forced?)
+ if [ "$(id -u)" = "0" ] && [ -z "$FORCE_ROOTLESS_INSTALL" ]; then
+ >&2 echo "Refusing to install rootless Docker as the root
user"; exit 1
+ fi
+
+ # HOME verification
+ if [ ! -d "$HOME" ]; then
+ >&2 echo "Aborting because HOME directory $HOME does not
exist"; exit 1
+ fi
+
+ if [ -d "$BIN" ]; then
+ if [ ! -w "$BIN" ]; then
+ >&2 echo "Aborting because $BIN is not writable"; exit 1
+ fi
+ else
+ if [ ! -w "$HOME" ]; then
+ >&2 echo "Aborting because HOME (\"$HOME\") is not
writable"; exit 1
+ fi
+ fi
+
+ # Existing rootful docker verification
+ if [ -w /var/run/docker.sock ] && [ -z "$FORCE_ROOTLESS_INSTALL" ]; then
+ >&2 echo "Aborting because rootful Docker is running and
accessible. Set FORCE_ROOTLESS_INSTALL=1 to ignore."; exit 1
+ fi
+
+ # Validate XDG_RUNTIME_DIR
+ if [ ! -w "$XDG_RUNTIME_DIR" ]; then
+ if [ -n "$SYSTEMD" ]; then
+ >&2 echo "Aborting because systemd was detected but
XDG_RUNTIME_DIR (\"$XDG_RUNTIME_DIR\") does not exist or is not writable"
+ >&2 echo "Hint: this could happen if you changed users
with 'su' or 'sudo'. To work around this:"
+ >&2 echo "- try again by first running with root
privileges 'loginctl enable-linger <user>' where <user> is the unprivileged
user and export XDG_RUNTIME_DIR to the value of RuntimePath as shown by
'loginctl show-user <user>'"
+ >&2 echo "- or simply log back in as the desired
unprivileged user (ssh works for remote machines)"
+ exit 1
+ fi
+ fi
+
+ # Already installed verification (unless force?). Only having docker
cli binary previously shouldn't fail the build.
+ if [ -x "$BIN/$DAEMON" ]; then
+ # If rootless installation is detected print out the modified
PATH and DOCKER_HOST that needs to be set.
+ echo "# Existing rootless Docker detected at $BIN/$DAEMON"
+ echo
+ echo "# To reinstall or upgrade rootless Docker, run the
following commands and then rerun the installation script:"
+ echo "systemctl --user stop docker"
+ echo "rm -f $BIN/$DAEMON"
+ echo
+ echo "# Alternatively, install the docker-ce-rootless-extras
RPM/deb package for ease of package management (requires root)."
+ echo "# See https://docs.docker.com/go/rootless/ for details."
+ exit 0
+ fi
+
+ INSTRUCTIONS=
+
+ # uidmap dependency check
+ if ! command -v newuidmap >/dev/null 2>&1; then
+ if command -v apt-get >/dev/null 2>&1; then
+ INSTRUCTIONS="apt-get install -y uidmap"
+ elif command -v dnf >/dev/null 2>&1; then
+ INSTRUCTIONS="dnf install -y shadow-utils"
+ elif command -v yum >/dev/null 2>&1; then
+ INSTRUCTIONS="curl -o
/etc/yum.repos.d/vbatts-shadow-utils-newxidmap-epel-7.repo
https://copr.fedorainfracloud.org/coprs/vbatts/shadow-utils-newxidmap/repo/epel-7/vbatts-shadow-utils-newxidmap-epel-7.repo
+yum install -y shadow-utils46-newxidmap"
+ else
+ echo "newuidmap binary not found. Please install with a
package manager."
+ exit 1
+ fi
+ fi
+
+ # iptables dependency check
+ if [ -z "$SKIP_IPTABLES" ] && ! command -v iptables >/dev/null 2>&1 &&
[ ! -f /sbin/iptables ] && [ ! -f /usr/sbin/iptables ]; then
+ if command -v apt-get >/dev/null 2>&1; then
+ INSTRUCTIONS="${INSTRUCTIONS}
+apt-get install -y iptables"
+ elif command -v dnf >/dev/null 2>&1; then
+ INSTRUCTIONS="${INSTRUCTIONS}
+dnf install -y iptables"
+ else
+ echo "iptables binary not found. Please install with a
package manager."
+ exit 1
+ fi
+ fi
+
+ # ip_tables module dependency check
+ if [ -z "$SKIP_IPTABLES" ] && ! lsmod | grep ip_tables >/dev/null 2>&1
&& ! grep -q ip_tables "/lib/modules/$(uname -r)/modules.builtin"; then
+ INSTRUCTIONS="${INSTRUCTIONS}
+modprobe ip_tables"
+ fi
+
+ # debian requires setting unprivileged_userns_clone
+ if [ -f /proc/sys/kernel/unprivileged_userns_clone ]; then
+ if [ "1" != "$(cat /proc/sys/kernel/unprivileged_userns_clone)"
]; then
+ INSTRUCTIONS="${INSTRUCTIONS}
+cat <<EOT > /etc/sysctl.d/50-rootless.conf
+kernel.unprivileged_userns_clone = 1
+EOT
+sysctl --system"
+ fi
+ fi
+
+ # centos requires setting max_user_namespaces
+ if [ -f /proc/sys/user/max_user_namespaces ]; then
+ if [ "0" = "$(cat /proc/sys/user/max_user_namespaces)" ]; then
+ INSTRUCTIONS="${INSTRUCTIONS}
+cat <<EOT > /etc/sysctl.d/51-rootless.conf
+user.max_user_namespaces = 28633
+EOT
+sysctl --system"
+ fi
+ fi
+
+ if [ -n "$INSTRUCTIONS" ]; then
+ echo "# Missing system requirements. Please run following
commands to
+# install the requirements and run this installer again.
+# Alternatively iptables checks can be disabled with SKIP_IPTABLES=1"
+
+ echo
+ echo "cat <<EOF | sudo sh -x"
+ echo "$INSTRUCTIONS"
+ echo "EOF"
+ echo
+ exit 1
+ fi
+
+ # validate subuid/subgid files for current user
+ if ! grep "^$(id -un):\|^$(id -u):" /etc/subuid >/dev/null 2>&1; then
+ >&2 echo "Could not find records for the current user $(id -un)
from /etc/subuid . Please make sure valid subuid range is set there.
+For example:
+echo \"$(id -un):100000:65536\" >> /etc/subuid"
+ exit 1
+ fi
+ if ! grep "^$(id -un):\|^$(id -u):" /etc/subgid >/dev/null 2>&1; then
+ >&2 echo "Could not find records for the current user $(id -un)
from /etc/subgid . Please make sure valid subuid range is set there.
+For example:
+echo \"$(id -un):100000:65536\" >> /etc/subgid"
+ exit 1
+ fi
+}
+
+exec_setuptool() {
+ if [ -n "$FORCE_ROOTLESS_INSTALL" ]; then
+ set -- "$@" --force
+ fi
+ if [ -n "$SKIP_IPTABLES" ]; then
+ set -- "$@" --skip-iptables
+ fi
+ (
+ set -x
+ PATH="$BIN:$PATH" "$BIN/dockerd-rootless-setuptool.sh" install
"$@"
+ )
+}
+
+do_install() {
+ echo "# Executing docker rootless install script, commit:
$SCRIPT_COMMIT_SHA"
+
+ init_vars
+ checks
+
+ tmp=$(mktemp -d)
+ trap 'rm -rf "$tmp"' EXIT INT TERM
+ # Download tarballs docker-* and docker-rootless-extras=*
+ (
+ cd "$tmp"
+ curl -L -o docker.tgz "$STATIC_RELEASE_URL"
+ curl -L -o rootless.tgz "$STATIC_RELEASE_ROOTLESS_URL"
+ )
+ # Extract under $HOME/bin/
+ (
+ mkdir -p "$BIN"
+ cd "$BIN"
+ tar zxf "$tmp/docker.tgz" --strip-components=1
+ tar zxf "$tmp/rootless.tgz" --strip-components=1
+ )
+
+ exec_setuptool "$@"
+}
+
+do_install "$@"
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.