Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tutoring and Help with RunImage #13

Open
fwn0 opened this issue Jan 11, 2025 · 6 comments
Open

Tutoring and Help with RunImage #13

fwn0 opened this issue Jan 11, 2025 · 6 comments

Comments

@fwn0
Copy link

fwn0 commented Jan 11, 2025

Hello Maxim,
I am already looking forward to the new upcoming runimage 0.40.1, which you are currently preparing (as I see in your github activity).
But now I have a request for you. I don't understand exactly how your fake-systemd works for starting docker. I have installed docker and docker-compose in the runimage with pac, but now I can't figure out how to start the daemon with fake-systemd before rebuild a new runimage-docker. I mean, how do I use the standard command systemctl start docker.service, systemctl enable docker.service in the new runimage-docker?
I also wanted to ask, how should the structure of containers, images and volumes look like? Can docker in runimage then serve the containers, images, etc., only in runimage which are placed on rootfs, overlayfs, or also outside of runimage, e.g. on ~/ri-portable-progs ?
@VHSgunzo
Copy link
Owner

@fwn0
Hi! To fully run docker daemon requires elevated privileges (even for rootless mode). But still I managed to run docker daemon in runimage. Here is a rough order of operations:

Create docker dir:

mkdir docker

Run runimage in overlayfs mode, with sandbox network and with bubblewrap fake root and with bind docker dir:

OVERFS_ID=docker KEEP_OVERFS=1 SANDBOX_NET=1 ./runimage --uid 0 --gid 0 --bind "$PWD/docker" /var/lib/docker bash

Install docker:

# update packages:
runupdate

pac --noconfirm -S docker

Run the docker daemon in the runimage network sandbox on 127.0.0.0.1:1337 :

/usr/bin/dockerd -H tcp://127.0.0.1:1337 --seccomp-profile unconfined --rootless --no-new-privileges &>/dev/null &

And now you can run docker:

DOCKER_HOST=tcp://127.0.0.1:1337 docker run --rm -i -v /dev:/dev alpine:latest cat /etc/os-release

But there are some limitations:

  • I have not yet managed to solve the lchown problem when pull some container images (for example debian:latest)
  • You can't remove the -v /dev:/dev bind or you will get the /dev/pts error
  • Even with the -v /dev:/dev bind there is no way to alocate a full-fledged pseudo terminal or you will get the /dev/console error.

I may need to analyze the dockerd source code (runc, containerd) and apply some tricks to fix these errors (as I already did for runimage-openssh). I would be glad to have help in this endeavor.

Alternatively, you can use udocker as an option. This is not a full-fledged replacement for docker, but it's still not bad either.

@fwn0
Copy link
Author

fwn0 commented Jan 15, 2025

Thank you for your introduction Maxim,

it may not be necessary to install docker or podman. I will now experiment a bit with crun. Maybe it will be much easier to run the docker images, containers, volumes with crun.

@fwn0
Copy link
Author

fwn0 commented Feb 2, 2025

I have managed to create a running rootless alpine container with 0.40.4 using crun (without podman or docker). Unfortunately I couldn't find out how to activate internet connection as well. I tried to configure it with RIM_RESOLVCONF_FILE=/path/resolv.conf, but so far I have no connection.

Can you please give me instructions on how to create the connection in docker-container?

But now I have another problem with user/group. I would like to create jellyfin server with client in RunImage, but as you can see, here is a problem.

artix-pc:[artix]:/Devel/RIM/Arch$ RIM_ALLOW_ROOT=1 RIM_OVERFS_MODE=1 RIM_OVERFS_ID=core ./runimage rim-shell
Ignoring invalid max threads value 4294967295 > max (100000).
[ INFO ][2025.02.02 13:34:30]: Attaching to OverlayFS: core
┌─[artix@artix-pc]:[/Devel/RIM/Arch]:[13:34:36]
└──╼ $ useradd -U jellyfin
useradd: cannot open /etc/passwd
┌─[✗]─[artix@artix-pc]:[/Devel/RIM/Arch]:[13:34:46]
└──╼ $ systemctl start jellyfin
ERROR:systemctl: jellyfin.service: User does not exist: jellyfin (Mapping key not found.)
ERROR:systemctl: jellyfin.service: Group does not exist: jellyfin (Mapping key not found.)
ERROR:systemctl: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ERROR:systemctl: Oops, 1 user names and 1 group names were not found. Refusing.
ERROR:systemctl: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
┌─[✗]─[artix@artix-pc]:[/Devel/RIM/Arch]:[13:35:28]

How can I solve the problem(s) ?

@VHSgunzo
Copy link
Owner

VHSgunzo commented Feb 3, 2025
edited
Loading

I have managed to create a running rootless alpine container with 0.40.4 using crun (without podman or docker). Unfortunately I couldn't find out how to activate internet connection as well. I tried to configure it with RIM_RESOLVCONF_FILE=/path/resolv.conf, but so far I have no connection.
Can you please give me instructions on how to create the connection in docker-container?

@fwn0
Hi! In that case, wouldn't it be easier to use the built-in functionality of the custom rootfs?
https://github.com/VHSgunzo/runimage?tab=readme-ov-file#runimage-custom-rootfs

But now I have another problem with user/group. I would like to create jellyfin server with client in RunImage, but as you can see, here is a problem.

By default, runimage bind groups and users from the host, to change this, you can use RIM_UNSHARE_USERS=1
and then you can add groups and users in the container, but there's a catch, because it's a container in the unprivileged user namespaces, you won't be able to really change the user or group, so you can
use, for example, fakeroot with the fake user's UID inside the container, if the application really needs to change the user or group during operation (like for apt or pacman).
https://salsa.debian.org/clint/fakeroot/-/blob/master/communicate.h?ref_type=heads#L102-L109

FAKEROOTEUID=2 fakeroot id -un

Image

In the case of systemd units, you can try to remove user and group changes from the unit.

@VHSgunzo
Copy link
Owner

VHSgunzo commented Feb 3, 2025
edited
Loading

For jellyfin

RIM_OVERFS_ID=jellyfin RIM_KEEP_OVERFS=1 ./runimage

pac -Sy jellyfin-server jellyfin-web
sed -i '/^User/d;/^Group/d' /usr/lib/systemd/system/jellyfin.service
mkdir -p /var/lib/jellyfin
systemctl start jellyfin -vvv

or you can add the necessary services to autostart

systemctl enable jellyfin -vvv

and then use init

RIM_OVERFS_ID=jellyfin RIM_KEEP_OVERFS=1 ./runimage systemctl init

@VHSgunzo
Copy link
Owner

VHSgunzo commented Feb 6, 2025
edited
Loading

@fwn0

sed -i '/^User/d;/^Group/d' /usr/lib/systemd/system/jellyfin.service
mkdir -p /var/lib/jellyfin

In v0.40.5 now added pacman hook in fake-systemd package which fixes SystemD units. So now all you have to do is just install jellyfin and run it:

RIM_OVERFS_ID=jellyfin RIM_KEEP_OVERFS=1 ./runimage

pac -Sy jellyfin-server jellyfin-web

systemctl start jellyfin -vvv

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fwn0 @VHSgunzo