Kernel version | Linux pi4 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux
Architecture | arm64
SBC model | RPi 4 Model B (aarch64)
Additional Information (if applicable)
Software title | Docker
Trying to install rootless docker on Raspberry Pi 4 (Using DietPi OS which is a flavor of Raspbian which is Debian based) due to rootless being recommended as a best security practice. Created docker user, did su - dockeruser and ran install script.
Got this:
$ curl -fsSL https://get.docker.com/rootless | sh
# Installing stable version 24.0.7
# Executing docker rootless install script, commit: 98c7397
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 60.8M 100 60.8M 0 0 28.2M 0 0:00:02 0:00:02 --:--:-- 28.2M
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 20.9M 100 20.9M 0 0 21.8M 0 --:--:-- --:--:-- --:--:-- 21.8M
+ PATH=/home/dockeruser/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin /home/dockeruser/bin/dockerd-rootless-setuptool.sh install
[INFO] systemd not detected, dockerd-rootless.sh needs to be started manually:
PATH=/home/dockeruser/bin:/sbin:/usr/sbin:$PATH dockerd-rootless.sh
[INFO] Creating CLI context "rootless"
Successfully created context "rootless"
[INFO] Using CLI context "rootless"
Current context is now "rootless"
[INFO] Make sure the following environment variable(s) are set (or add them to ~/.bashrc):
# WARNING: systemd not found. You have to remove XDG_RUNTIME_DIR manually on every logout.
export XDG_RUNTIME_DIR=/home/dockeruser/.docker/run
export PATH=/home/dockeruser/bin:$PATH
[INFO] Some applications may require the following environment variable too:
export DOCKER_HOST=unix:///home/dockeruser/.docker/run/docker.sock
What’s the best way to mitigate it? I.e., to start dockerd-rootless.sh manually (i.e., should I add this to bashrc?) and remove XDG_RUNTIME_DIR manually on every logout?
What does DietPi OS use instead of system.d? Can we modify whatever it uses instead?
Thank you. Could you please hint as to how to go about troubleshooting it? The install script does not allow to be used as sudo, so what additional permission might it need?
# systemctl enable --now dbus
Synchronizing state of dbus.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable dbus
The unit files have no installation config (WantedBy=, RequiredBy=, Also=,
Alias= settings in the [Install] section, and DefaultInstance= for template
units). This means they are not meant to be enabled using systemctl.
Possible reasons for having this kind of units are:
• A unit may be statically enabled by being symlinked from another unit's
.wants/ or .requires/ directory.
• A unit's purpose may be to act as a helper for some other unit which has
a requirement dependency on it.
• A unit may be started when needed via activation (socket, path, timer,
D-Bus, udev, scripted systemctl call, ...).
• In case of template units, the unit is meant to be enabled with some
instance name specified.
dockeruser@pi4-8-1:~$ docker run hello-world
docker: Cannot connect to the Docker daemon at unix:///home/dockeruser/.docker/run/docker.sock. Is the docker daemon running?.
See 'docker run --help'.
dockeruser@pi4-8-1:~$ docker ps
Cannot connect to the Docker daemon at unix:///home/dockeruser/.docker/run/docker.sock. Is the docker daemon running?
dockeruser@pi4-8-1:~$ sudo systemctl start docker
[sudo] password for dockeruser:
dockeruser is not in the sudoers file.
dockeruser@pi4-8-1:~$ systemctl start docker
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
Authentication is required to start 'docker.service'.
Authenticating as: diet-cat
Password:
==== AUTHENTICATION COMPLETE ====
dockeruser@pi4-8-1:~$ docker ps
Cannot connect to the Docker daemon at unix:///home/dockeruser/.docker/run/docker.sock. Is the docker daemon running?
dockeruser@pi4-8-1:~$ systemctl start docker
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
Authentication is required to start 'docker.service'.
Authenticating as: diet-cat
Password:
==== AUTHENTICATION COMPLETE ====
dockeruser@pi4-8-1:~$ docker ps
Cannot connect to the Docker daemon at unix:///home/dockeruser/.docker/run/docker.sock. Is the docker daemon running?
dockeruser@pi4-8-1:~$
Is adding dockeruser to sudoers a good practice?
Is the a different way to fix this?