|
|
@@ -274,25 +274,6 @@ $ docker run --privileged --name some-docker -d \
|
|
|
|
|
|
Some of these will not be supported based on the settings on the host's `dockerd`, such as `--ulimit nofile=-1`, giving errors that look like `error setting rlimit type 7: operation not permitted`, and some may inherit sane values from the host `dockerd` instance or may not apply for your usage of Docker-in-Docker (for example, you likely want to set `--oom-score-adj` to a value that's higher than `dockerd` on the host so that your Docker-in-Docker instance is killed before the host Docker instance is).
|
|
|
|
|
|
-## Rootless
|
|
|
-
|
|
|
-For more information about using the experimental "rootless" image variants, see [docker-library/docker#174](https://github.com/docker-library/docker/pull/174).
|
|
|
-
|
|
|
-**Note:** just like the regular `dind` images, `--privileged` is required for Docker-in-Docker to function properly ([docker-library/docker#151](https://github.com/docker-library/docker/issues/151#issuecomment-483185972) & [docker-library/docker#281](https://github.com/docker-library/docker/issues/281#issuecomment-744766015)). For `19.03.x` rootless images, an argument of `--experimental` is required for `dockerd` ([docker/docker#40759](https://github.com/docker/docker/pull/40759)).
|
|
|
-
|
|
|
-Basic example usage:
|
|
|
-
|
|
|
-```console
|
|
|
-$ docker run -d --name some-docker --privileged docker:dind-rootless
|
|
|
-$ docker logs --tail=3 some-docker # to verify the daemon has finished generating TLS certificates and is listening successfully
|
|
|
-time="xxx" level=info msg="Daemon has completed initialization"
|
|
|
-time="xxx" level=info msg="API listen on /run/user/1000/docker.sock"
|
|
|
-time="xxx" level=info msg="API listen on [::]:2376"
|
|
|
-$ docker exec -it some-docker docker-entrypoint.sh sh # using "docker-entrypoint.sh" which auto-sets "DOCKER_HOST" appropriately
|
|
|
-/ $ docker info --format '{{ json .SecurityOptions }}'
|
|
|
-["name=seccomp,profile=default","name=rootless"]
|
|
|
-```
|
|
|
-
|
|
|
## Where to Store Data
|
|
|
|
|
|
Important note: There are several ways to store data used by applications that run in Docker containers. We encourage users of the `docker` images to familiarize themselves with the options available, including:
|
|
|
@@ -319,6 +300,37 @@ The `docker` images come in many flavors, each designed for a specific use case.
|
|
|
|
|
|
This is the defacto image. If you are unsure about what your needs are, you probably want to use this one. It is designed to be used both as a throw away container (mount your source code and start the container to start your app), as well as the base to build other images off of.
|
|
|
|
|
|
+## `docker:<version>-rootless`
|
|
|
+
|
|
|
+For more information about using the experimental "rootless" image variants, see [docker-library/docker#174](https://github.com/docker-library/docker/pull/174).
|
|
|
+
|
|
|
+**Note:** just like the regular `dind` images, `--privileged` is required for Docker-in-Docker to function properly ([docker-library/docker#151](https://github.com/docker-library/docker/issues/151#issuecomment-483185972) & [docker-library/docker#281](https://github.com/docker-library/docker/issues/281#issuecomment-744766015)), which is a security issue that needs to be treated appropriately.
|
|
|
+
|
|
|
+Basic example usage:
|
|
|
+
|
|
|
+```console
|
|
|
+$ docker run -d --name some-docker --privileged docker:dind-rootless
|
|
|
+$ docker logs --tail=3 some-docker # to verify the daemon has finished generating TLS certificates and is listening successfully
|
|
|
+time="xxx" level=info msg="Daemon has completed initialization"
|
|
|
+time="xxx" level=info msg="API listen on /run/user/1000/docker.sock"
|
|
|
+time="xxx" level=info msg="API listen on [::]:2376"
|
|
|
+$ docker exec -it some-docker docker-entrypoint.sh sh # using "docker-entrypoint.sh" which auto-sets "DOCKER_HOST" appropriately
|
|
|
+/ $ docker info --format '{{ json .SecurityOptions }}'
|
|
|
+["name=seccomp,profile=default","name=rootless"]
|
|
|
+```
|
|
|
+
|
|
|
+To run with a different UID/GID than the one baked into the image, modify `/etc/passwd`, `/etc/group`, and filesystem permissions (especially for the `rootless` user's home directory) as appropriate; for example:
|
|
|
+
|
|
|
+```dockerfile
|
|
|
+FROM docker:dind-rootless
|
|
|
+USER root
|
|
|
+RUN set -eux; \
|
|
|
+ sed -i -e 's/^rootless:1000:1000:/rootless:1234:5678:/' /etc/passwd; \
|
|
|
+ sed -i -e 's/^rootless:1000:/:5678:/' /etc/group; \
|
|
|
+ chown -R rootless ~rootless
|
|
|
+USER rootless
|
|
|
+```
|
|
|
+
|
|
|
## `docker:<version>-windowsservercore`
|
|
|
|
|
|
Unfortunately, Windows does not support nested containers, so this image variant only contains the client (intended for use against an existing Docker engine, ala `-v //./pipe/docker_engine://./pipe/docker_engine`).
|
Docker Library Bot