plugin on COS (Computer-Optimized OS)

[yan-hic]

Description

https://docs.docker.com/compose/install/linux/#install-the-plugin-manually does not work as-is for locked down file-system like COS (https://cloud.google.com/container-optimized-os/docs/concepts/disks-and-filesystem).

Background: COS is very restricted (for a reason) so one can't install using a package manager and most mounts are noexec.

One workaround is to sudo mount a new dir in /mnt/disks e.g. /mnt/disks/docker, curl the standalone compose there, change permission (executable, all users).
All good and docker-compose works (COS has the docker engine/CLI).

However, it would be good if it could integrate as intended with the CLI. To do so, a new env var must exist in my mind telling the CLI where to look for cli-plugins instead of (or in addition to) $DOCKER_CONFIG/cli_plugins .

Also, does docker-compose exists as python script ? COS has Python (3.8) installed and so python docker-compose.py would not require the hacks.

[yan-hic]

Nevermind, I found a solution that works for any CLI plugin (if any other) thanks to symlinks, and that is stateful - mnt/disks is not meaning it's lost when rebooting.

Run this once only, and you can then run compose with docker compose (no dash):

DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker}
CLI_PLUGINS=/var/lib/docker/cli-plugins
mkdir -p $DOCKER_CONFIG
sudo mkdir -p $CLI_PLUGINS
sudo curl -SL https://github.com/docker/compose/releases/download/v2.17.2/docker-compose-linux-x86_64 -o $CLI_PLUGINS/docker-compose
sudo chmod -R 755 /var/lib/docker
ln -s $CLI_PLUGINS $DOCKER_CONFIG/cli-plugins

Works like a charm and better in my mind than using DIND

[milas]

Awesome, I'm glad you got this working!

[x-yuri]

sudo chmod -R 755 /var/lib/docker? Not only did you make /var/lib/docker accessible (whereas usually it's not), but you also set 755 for every file and directory inside /var/lib/docker. @milas How does that sound? Is it just me or does it sound like making the instance less secure (I suppose there's a reason for /var/lib/docker to have no o+x)? Especially considering this:

With Container-Optimized OS, you can bring up your containers on Google Cloud Platform quickly, efficiently, and securely.

I'd suggest to not store docker-compose in /var/lib/docker because then o+x needs to be added.

The writable and executable mounts are:

• /var/lib/{google,docker,toolbox} (stateful)
• /var/lib/cloud (stateless, tmpfs, 2 MB)
• /mnt/disks (stateless, tmpfs, 256 KB)

/var/lib/{google,docker,toolbox} seems like the best option, and /var/lib/google is better then /var/lib/docker because it has o+x:

$ sudo curl -sSL \
  https://github.com/docker/compose/releases/download/v2.23.3/docker-compose-linux-x86_64 \
  -o /var/lib/google/docker-compose
$ sudo chmod o+x /var/lib/google/docker-compose
$ mkdir -p ~/.docker/cli-plugins
$ ln -sf /var/lib/google/docker-compose \
  ~/.docker/cli-plugins/docker-compose
$ docker compose version

the official installation instructions
where docker looks for plugins

Alternatively one can use the docker image. Using alias:

~/.profile:

if [ -f ~/.bashrc ]; then . ~/.bashrc; fi

~/.bashrc:

alias docker-compose='docker run --rm docker compose'

$ docker-compose version

Using a function:

~/.profile:

docker() {
    if [ "$1" = compose ]; then
        command docker run --rm docker "$@"
    else
        command docker "$@"
    fi
}
export -f docker

$ docker compose version

Using a script:

/var/lib/google/bin/docker:

#!/bin/sh -eu
if [ "$1" = compose ]; then
    /usr/bin/docker run --rm docker "$@"
else
    /usr/bin/docker "$@"
fi

~/.profile:

export PATH=/var/lib/google/bin:$PATH

$ sudo chmod o+x /var/lib/google/bin/docker
$ docker compose version