tested on slackware current (aug 2021)
XFS or EXT4 is required for OverlayFS2 though XFS has an advantage: you can specify a max file-system size for the container. You need to enable quota for that matter.
mkfs.xfs /dev/nvme0n1p3 vi /etc/fstab /dev/nvme0n1p3 /docker xfs defaults,noatime,nodiratime,prjquota 0 2 mkdir /docker/ touch /docker/XFS_NOT_MOUNTED mount /docker/ #rm -rf /var/lib/docker/ ln -s ../../docker /var/lib/docker
slackpkg search iptables slackpkg search git-2 slackpkg search procps-ng slackpkg search xz ls -lF /proc/cgroups curl https://raw.githubusercontent.com/docker/docker/master/contrib/check-config.sh > check-config.sh chmod +x check-config.sh ./check-config.sh
grab the latest Docker CE release as binaries
rel=20.10.10 wget https://download.docker.com/linux/static/stable/x86_64/docker-$rel.tgz tar xzf docker-$rel.tgz ls -lF /usr/local/bin/ cp -i docker/* /usr/local/bin/
note it is also available on github as release tag.
#git clone https://github.com/docker/docker-ce.git
see alternate host install for other systems
make the docker commands available to some user
grep docker /etc/group grep docker /etc/passwd groupadd -g 331 docker usermod -aG docker OPERATOR
we define bridge rather than bridge IP as it sets both gateway and cidr.
we want instances to survive daemon down-time and even a host system reboot, hence we enable live-restore
.
and we’re giving a try to no-new-privileges
.
vi /etc/docker/daemon.json # new file { "bridge": "br0", "data-root": "/docker", "debug": false, "exec-opts": [ "native.cgroupdriver=cgroupfs" ], "ip-masq": false, "iptables": false, "ip6tables": false, "live-restore": true, "log-level": "warn", "no-new-privileges": true, "storage-driver": "overlay2", "storage-opts": [ "overlay2.size=5G" ] }
moar options
# "bip": "", # "dns": [], # "dns-search": [], # "hosts": [], # "ipv6": false,
by default you get an hosts file with instance’s IP only and same resolv.conf as on the host.
enable at boot-time
vi /etc/rc.d/rc.inet1 brctl addbr br0 brctl addif br0 eth1 ifconfig br0 10.0.0.254/16 up vi /etc/rc.d/rc.local PATH=$PATH:/usr/local/bin:/usr/local/sbin sysctl -w net.ipv4.ip_forward=1 echo starting dockerd dockerd >> /var/log/dockerd.log 2>&1 & pgrep -a dockerd vi /etc/rc.d/rc.local_shutdown echo -n killing dockerd... pkill dockerd && echo done || echo FAIL
status
pgrep -a docker ls -lF /var/run/docker.sock brctl show br0
reload
pgrep -a dockerd kill -HUP PID-HERE
as user
docker run -d --name devuan --hostname devuan --workdir /root pbraun9/devuan docker exec -ti devuan /bin/bash df -h
we could not validate that running instances come back after a reboot. the best we’ve got is a come back after killing and starting the docker daemon again.
you can now operate your Docker host
as user
newgrp docker docker images -a docker ps -a docker pull pbraun9/devuan docker pull pbraun9/devuan-svr4
failed to start containerd: exec: "containerd": executable file not found in $PATH
==> add PATH into rc.local
Install Docker Engine from binaries https://docs.docker.com/engine/install/binaries/
Post-installation steps for Linux https://docs.docker.com/engine/install/linux-postinstall/
dockerd https://docs.docker.com/engine/reference/commandline/dockerd/
Configure and troubleshoot the Docker daemon https://docs.docker.com/config/daemon/
Daemon user namespace options🔗 https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-user-namespace-options
Set ulimits in container (–ulimit)🔗 https://docs.docker.com/engine/reference/commandline/run/#set-ulimits-in-container---ulimit
Enable IPv6 support https://docs.docker.com/config/daemon/ipv6/
How to run dockerd in the background without logs https://stackoverflow.com/questions/54852529/how-to-run-dockerd-in-the-background-without-logs
Local File logging driver https://docs.docker.com/config/containers/logging/local/
How to Enable Disk Quotas on an XFS File System https://www.thegeekdiary.com/how-to-enable-disk-quotas-on-an-xfs-file-system/
Docker Per-Container Disk Quota on Bind Mounted Volumes https://stackoverflow.com/questions/57248180/docker-per-container-disk-quota-on-bind-mounted-volumes
Storage quota per container - overlay2 backed by xfs https://forums.docker.com/t/storage-quota-per-container-overlay2-backed-by-xfs/37653
Docker Container Size Quota https://reece.tech/posts/docker-container-size-quota/
About storage drivers https://docs.docker.com/storage/storagedriver/
Docker storage drivers https://docs.docker.com/storage/storagedriver/select-storage-driver/
Use the OverlayFS storage driver https://docs.docker.com/storage/storagedriver/overlayfs-driver/
Storage Drivers in Docker: A Deep Dive https://integratedcode.us/2016/08/30/storage-drivers-in-docker-a-deep-dive/
Docker Issues and Tips (aufs/overlay/btrfs..) https://github.com/AkihiroSuda/issues-docker
BTRFS vs OverlayFS https://www.reddit.com/r/docker/comments/5m4yhi/btrfs_vs_overlayfs/
how to clean up docker overlay directory? https://stackoverflow.com/questions/31712266/how-to-clean-up-docker-overlay-directory
Isolate containers with a user namespace https://docs.docker.com/engine/security/userns-remap/
Run the Docker daemon as a non-root user (Rootless mode) https://docs.docker.com/engine/security/rootless/
User privileges in Docker containers https://medium.com/jobteaser-dev-team/docker-user-best-practices-a8d2ca5205f4
Understanding root inside and outside a container https://www.redhat.com/en/blog/understanding-root-inside-and-outside-container
Running Docker Containers as ROOT: https://dockerlabs.collabnix.com/security/Running-Containers-as-ROOT.html
Keep containers alive during daemon downtime https://docs.docker.com/config/containers/live-restore/