Rootless Docker issues on DietPi

Creating a bug report/issue

Required Information

• DietPi version | DietPi v8.23.3
• Distro version | bookworm 0
• Kernel version | Linux pi4 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux
• Architecture | arm64
• SBC model | RPi 4 Model B (aarch64)

Additional Information (if applicable)

• Software title | Docker

Trying to install rootless docker on Raspberry Pi 4 (Using DietPi OS which is a flavor of Raspbian which is Debian based) due to rootless being recommended as a best security practice. Created docker user, did su - dockeruser and ran install script.

Got this:

$ curl -fsSL https://get.docker.com/rootless | sh
# Installing stable version 24.0.7
# Executing docker rootless install script, commit: 98c7397
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 60.8M  100 60.8M    0     0  28.2M      0  0:00:02  0:00:02 --:--:-- 28.2M
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 20.9M  100 20.9M    0     0  21.8M      0 --:--:-- --:--:-- --:--:-- 21.8M
+ PATH=/home/dockeruser/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin /home/dockeruser/bin/dockerd-rootless-setuptool.sh install
[INFO] systemd not detected, dockerd-rootless.sh needs to be started manually:

PATH=/home/dockeruser/bin:/sbin:/usr/sbin:$PATH dockerd-rootless.sh 

[INFO] Creating CLI context "rootless"
Successfully created context "rootless"
[INFO] Using CLI context "rootless"
Current context is now "rootless"

[INFO] Make sure the following environment variable(s) are set (or add them to ~/.bashrc):
# WARNING: systemd not found. You have to remove XDG_RUNTIME_DIR manually on every logout.
export XDG_RUNTIME_DIR=/home/dockeruser/.docker/run
export PATH=/home/dockeruser/bin:$PATH

[INFO] Some applications may require the following environment variable too:
export DOCKER_HOST=unix:///home/dockeruser/.docker/run/docker.sock

Apparently, DietPiOS doesn’t have system.d.

I found this accepted answer at users - systemd not detected, dockerd daemon needs to be started manually - Unix & Linux Stack Exchange to login via ssh as the non-root user and then run the script, but this is what I did, and it did not help.

What’s the best way to mitigate it? I.e., to start dockerd-rootless.sh manually (i.e., should I add this to bashrc?) and remove XDG_RUNTIME_DIR manually on every logout?

What does DietPi OS use instead of system.d? Can we modify whatever it uses instead?

Thanks

That’s not correct. DietPi is using systemd. Probably a permission issue for the user you created.

Thank you. Could you please hint as to how to go about troubleshooting it? The install script does not allow to be used as sudo, so what additional permission might it need?

check the permissions of the script with
ls -la /path/to/script/docerd-rootless.sh

it’s not about permission of the script. It’s the script not being able to detect systemd.

@DietMeow I found an issue at Docker GitHub. dockerd-rootless-setuptool.sh install fails to detect systemd unless $XDG_RUNTIME_DIR is set first · Issue #14491 · docker/docs · GitHub

You need to set export XDG_RUNTIME_DIR=/run/user/$(id -u) before executing the install script.

This one should do it

as user root

dietpi-software install 162
systemctl disable --now docker.service docker.socket
apt install -y uidmap dbus-user-session fuse-overlayfs slirp4netns docker-ce-rootless-extras
systemctl enable --now dbus
loginctl enable-linger <your-user>

as non-root user

export XDG_RUNTIME_DIR=/run/user/$(id -u)
dockerd-rootless-setuptool.sh install

Thank you very much.
Is this a problem?

# systemctl enable --now dbus
Synchronizing state of dbus.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable dbus
The unit files have no installation config (WantedBy=, RequiredBy=, Also=,
Alias= settings in the [Install] section, and DefaultInstance= for template
units). This means they are not meant to be enabled using systemctl.
 
Possible reasons for having this kind of units are:
• A unit may be statically enabled by being symlinked from another unit's
  .wants/ or .requires/ directory.
• A unit's purpose may be to act as a helper for some other unit which has
  a requirement dependency on it.
• A unit may be started when needed via activation (socket, path, timer,
  D-Bus, udev, scripted systemctl call, ...).
• In case of template units, the unit is meant to be enabled with some
  instance name specified.

Should be ok

@Joulinar
Does this look good to you? Thank you for your help!

~$ dockerd-rootless-setuptool.sh install
[INFO] Creating /home/dockeruser/.config/systemd/user/docker.service
[INFO] starting systemd service docker.service
+ systemctl --user start docker.service
+ sleep 3
+ systemctl --user --no-pager --full status docker.service
● docker.service - Docker Application Container Engine (Rootless)
     Loaded: loaded (/home/dockeruser/.config/systemd/user/docker.service; disabled; preset: enabled)
     Active: active (running) since Mon 2023-11-20 12:17:29 EST; 3s ago
       Docs: https://docs.docker.com/go/rootless/
   Main PID: 139263 (rootlesskit)
      Tasks: 40
     Memory: 33.7M
        CPU: 1.371s
     CGroup: /user.slice/user-1001.slice/user@1001.service/app.slice/docker.service
             ├─139263 rootlesskit --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /home/dockeruser/bin/dockerd-rootless.sh
             ├─139274 /proc/self/exe --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /home/dockeruser/bin/dockerd-rootless.sh
             ├─139296 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp 139274 tap0
             ├─139307 dockerd
             └─139324 containerd --config /run/user/1001/docker/containerd/containerd.toml
+ DOCKER_HOST=unix:///run/user/1001/docker.sock /home/dockeruser/bin/docker version
Client:
 Version:           24.0.7
 API version:       1.43
 Go version:        go1.20.10
 Git commit:        afdd53b
 Built:             Thu Oct 26 09:06:50 2023
 OS/Arch:           linux/arm64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          24.0.7
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.10
  Git commit:       311b9ff
  Built:            Thu Oct 26 09:08:17 2023
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          v1.7.6
  GitCommit:        091922f03c2762540fd057fba91260237ff86acb
 runc:
  Version:          1.1.9
  GitCommit:        v1.1.9-0-gccaecfc
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
 rootlesskit:
  Version:          1.1.0
  ApiVersion:       1.1.1
  NetworkDriver:    slirp4netns
  PortDriver:       builtin
  StateDir:         /tmp/rootlesskit3294603730
 slirp4netns:
  Version:          1.2.0
  GitCommit:        656041d45cfca7a4176f6b7eed9e4fe6c11e8383
+ systemctl --user enable docker.service
Created symlink /home/dockeruser/.config/systemd/user/default.target.wants/docker.service → /home/dockeruser/.config/systemd/user/docker.service.
[INFO] Installed docker.service successfully.
[INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service`
[INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger dockeruser`

[INFO] CLI context "rootless" already exists
[INFO] Using CLI context "rootless"
Current context is now "rootless"

[INFO] Make sure the following environment variable(s) are set (or add them to ~/.bashrc):
export PATH=/home/dockeruser/bin:$PATH

[INFO] Some applications may require the following environment variable too:
export DOCKER_HOST=unix:///run/user/1001/docker.sock

Do I need to do anything about this part?

image908×57 14.8 KB

and this part:

$ docker info
Client:
 Version:    24.0.7
 Context:    rootless
 Debug Mode: false
 Plugins:
  compose: Docker Compose (Docker Inc.)
    Version:  v2.21.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
ERROR: Cannot connect to the Docker daemon at unix:///home/dockeruser/.docker/run/docker.sock. Is the docker daemon running?
errors pretty printing info

Specifically: ERROR: Cannot connect to the Docker daemon at unix:///home/dockeruser/.docker/run/docker.sock. Is the docker daemon running?

Thank you!

dockeruser@pi4-8-1:~$ docker run hello-world
docker: Cannot connect to the Docker daemon at unix:///home/dockeruser/.docker/run/docker.sock. Is the docker daemon running?.
See 'docker run --help'.
dockeruser@pi4-8-1:~$ docker ps
Cannot connect to the Docker daemon at unix:///home/dockeruser/.docker/run/docker.sock. Is the docker daemon running?
dockeruser@pi4-8-1:~$ sudo systemctl start docker
[sudo] password for dockeruser: 
dockeruser is not in the sudoers file.
dockeruser@pi4-8-1:~$ systemctl start docker
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
Authentication is required to start 'docker.service'.
Authenticating as: diet-cat
Password: 
==== AUTHENTICATION COMPLETE ====
dockeruser@pi4-8-1:~$ docker ps
Cannot connect to the Docker daemon at unix:///home/dockeruser/.docker/run/docker.sock. Is the docker daemon running?
dockeruser@pi4-8-1:~$ systemctl start docker
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
Authentication is required to start 'docker.service'.
Authenticating as: diet-cat
Password: 
==== AUTHENTICATION COMPLETE ====
dockeruser@pi4-8-1:~$ docker ps
Cannot connect to the Docker daemon at unix:///home/dockeruser/.docker/run/docker.sock. Is the docker daemon running?
dockeruser@pi4-8-1:~$ 

Is adding dockeruser to sudoers a good practice?
Is the a different way to fix this?

Thank you

This is what your install script is telling you