Docker rootless 无法拉取镜像
Docker rootless unable to pull images
我运行宁 docker 在服务器上无根,跟随 https://docs.docker.com/engine/security/rootless/。
有了这个我就可以拉 运行 hello-world。但是每当我想拉出更复杂的图像时,我 运行 就会出现以下错误:
$ docker pull ubuntu
Using default tag: latest
latest: Pulling from library/ubuntu
83ee3a23efb7: Extracting [==================================================>] 28.57MB/28.57MB
db98fc6f11f0: Download complete
f611acd52c6c: Download complete
failed to register layer: ApplyLayer exit status 1 stdout: stderr: lchown /etc/gshadow: operation not permitted
来自docker info的输出:
$ docker info
Client:
Context: default
Debug Mode: false
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 1
Server Version: 20.10.2
Storage Driver: vfs
Logging Driver: json-file
Cgroup Driver: none
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runtime.v1.linux runc io.containerd.runc.v2
Default Runtime: runc
Init Binary: docker-init
containerd version: 269548fa27e0089a8b8278fc4fc781d7f65a939b
runc version: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
init version: de40ad0
Security Options:
seccomp
Profile: default
rootless
Kernel Version: 4.15.0-135-generic
Operating System: Ubuntu 18.04.3 LTS
OSType: linux
Architecture: x86_64
CPUs: 16
Total Memory: 125.9GiB
Name: ourserver
ID: ZZ4G:IF5W:HJA4:GBZ4:BOHY:YNLX:EPTA:56OH:REXN:QJ5A:2HL3:KWWX
Docker Root Dir: /home/honerkam/.local/share/docker
Debug Mode: false
Username: dhonerkamp
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
WARNING: Running in rootless-mode without cgroups. To enable cgroups in rootless-mode, you need to boot the system in cgroup v2 mode.
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
分配了 subids 并安装了 newuidmap、newgidmap:
$ grep ^$(whoami): /etc/subuid
honerkam:231072:165537
$ grep ^$(whoami): /etc/subgid
honerkam:231072:165537
$ which newuidmap
/usr/bin/newuidmap
$ which newgidmap
/usr/bin/newgidmap
我能想到的此设置中唯一不寻常的部分是我可以访问已安装文件系统上的驱动器,但引导根目录无法访问它。我自己也有root权限。
如能提供有关此问题原因的任何线索,我们将不胜感激!
如果其他人遇到此问题,请复制我在 github 收到的答案:
NFS 不支持 CAP_DAC_OVERRIDE,因此您需要在 ~/.config/docker/daemon 中指定自定义 {"data-root":"/somewhere-out-of-nfs"}。 json 将图像存储在非 NFS 位置。
有关技术详细信息,请参阅 https://www.redhat.com/sysadmin/rootless-podman-nfs。
我运行宁 docker 在服务器上无根,跟随 https://docs.docker.com/engine/security/rootless/。
有了这个我就可以拉 运行 hello-world。但是每当我想拉出更复杂的图像时,我 运行 就会出现以下错误:
$ docker pull ubuntu
Using default tag: latest
latest: Pulling from library/ubuntu
83ee3a23efb7: Extracting [==================================================>] 28.57MB/28.57MB
db98fc6f11f0: Download complete
f611acd52c6c: Download complete
failed to register layer: ApplyLayer exit status 1 stdout: stderr: lchown /etc/gshadow: operation not permitted
来自docker info的输出:
$ docker info
Client:
Context: default
Debug Mode: false
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 1
Server Version: 20.10.2
Storage Driver: vfs
Logging Driver: json-file
Cgroup Driver: none
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runtime.v1.linux runc io.containerd.runc.v2
Default Runtime: runc
Init Binary: docker-init
containerd version: 269548fa27e0089a8b8278fc4fc781d7f65a939b
runc version: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
init version: de40ad0
Security Options:
seccomp
Profile: default
rootless
Kernel Version: 4.15.0-135-generic
Operating System: Ubuntu 18.04.3 LTS
OSType: linux
Architecture: x86_64
CPUs: 16
Total Memory: 125.9GiB
Name: ourserver
ID: ZZ4G:IF5W:HJA4:GBZ4:BOHY:YNLX:EPTA:56OH:REXN:QJ5A:2HL3:KWWX
Docker Root Dir: /home/honerkam/.local/share/docker
Debug Mode: false
Username: dhonerkamp
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
WARNING: Running in rootless-mode without cgroups. To enable cgroups in rootless-mode, you need to boot the system in cgroup v2 mode.
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
分配了 subids 并安装了 newuidmap、newgidmap:
$ grep ^$(whoami): /etc/subuid
honerkam:231072:165537
$ grep ^$(whoami): /etc/subgid
honerkam:231072:165537
$ which newuidmap
/usr/bin/newuidmap
$ which newgidmap
/usr/bin/newgidmap
我能想到的此设置中唯一不寻常的部分是我可以访问已安装文件系统上的驱动器,但引导根目录无法访问它。我自己也有root权限。
如能提供有关此问题原因的任何线索,我们将不胜感激!
如果其他人遇到此问题,请复制我在 github 收到的答案:
NFS 不支持 CAP_DAC_OVERRIDE,因此您需要在 ~/.config/docker/daemon 中指定自定义 {"data-root":"/somewhere-out-of-nfs"}。 json 将图像存储在非 NFS 位置。
有关技术详细信息,请参阅 https://www.redhat.com/sysadmin/rootless-podman-nfs。