Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support running docker in rootless mode? #3267

Closed
0tofu opened this issue Dec 25, 2021 · 4 comments
Closed

support running docker in rootless mode? #3267

0tofu opened this issue Dec 25, 2021 · 4 comments
Labels
feature Requesting that Lando do something new linux Deals specifically with Linux

Comments

@0tofu
Copy link

0tofu commented Dec 25, 2021

If you run lando with docker in rootless mode, the owner and group of the ~/.lando and hello directories will be changed and you will get a permission denied and will not be able to run it.
ERROR ==> EACCES: permission denied, open '/home/xxxxx/.lando/cache/hello.build.lock'

Is there a way to run it in rootless mode or is there a plan to support it?

directory list

drwxrwxr-x 10     100500     100999 4096 Dec 25 06:48 .lando
drwxrwxr-x  2     100500     100999 4096 Dec 25 06:48 hello
  • lando version ... v3.6.0

docker version

Client: Docker Engine - Community
 Version:           20.10.12
 API version:       1.41
 Go version:        go1.16.12
 Git commit:        e91ed57
 Built:             Mon Dec 13 11:45:33 2021
 OS/Arch:           linux/amd64
 Context:           rootless
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.12
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.16.12
  Git commit:       459d0df
  Built:            Mon Dec 13 11:43:41 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.12
  GitCommit:        7b11cfaabd73bb80907dd23182b9347b4245eb5d
 runc:
  Version:          1.0.2
  GitCommit:        v1.0.2-0-g52b36a2
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
@reynoldsalec reynoldsalec added the linux Deals specifically with Linux label Dec 27, 2021
@reynoldsalec
Copy link
Sponsor Member

There aren't plans to support this in 3.x. @pirog would any of the architectural updates in 4.x help users run rootless?

@reynoldsalec reynoldsalec added the feature Requesting that Lando do something new label Dec 27, 2021
@pirog
Copy link
Sponsor Member

pirog commented Jan 4, 2022

beyond the initial installation lando runs entirely in userspace eg docker runs in rootless mode by default. we do not support the opposite eg running lando, and by extension docker, as the root user.

so my guess is something else is going on here.

@reynoldsalec
Copy link
Sponsor Member

@0tofu if you have further debugging explorations you'd like to do, feel free to reopen this or (perhaps better) jump on the Lando Slack: https://launchpass.com/devwithlando

Curious to hear if you figured something out!

@stephang
Copy link

tl;dr

Lando won't run in Docker's rootless mode because it's using the wrong socket. It should use /run/user/$UID/docker.sock (user space) instead of /var/run/docker.sock (system-wide) as indicated by $DOCKER_HOST.

Seems to me that Lando is not entirely ready for rootless Docker.

Reproduce

I'm trying to get Lando running with Docker in rootless mode, using Ubuntu 21.10, Docker 20.10.12, Lando 3.6.0.

First, install Docker by following the official install instructions. On Ubuntu this eventually means

# ...
sudo apt install docker-ce docker-ce-cli containerd.io

Second, I follow the instructions for setting up rootless Docker. That includes:

# Disable system-wide docker service
sudo systemctl disable --now docker.service docker.socket

# Docker setup for current user
dockerd-rootless-setuptool.sh install

# Run docker service in user space
systemctl --user start docker

# Launch service on system startup
systemctl --user enable docker
sudo loginctl enable-linger $(whoami)

# Socket path is now in user space.
# See https://docs.docker.com/engine/security/rootless/#client
export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock

# Without this, lando init won't work. Not sure why.
docker context use rootless

Now rootless Docker works. We're trying without sudo:

docker run hello-world

Rootless Lando doesn't work. It does not understand we're now in rootless mode.

# Init works
lando init --recipe lamp --name rootless-test --webroot '.'

# Start fails
lando start
# Error message
Unhandled rejection Error: connect EACCES /var/run/docker.sock

Possible Solution

Lando uses a wrong socket path: /var/run/docker.sock instead of /run/user/$UID/docker.sock. The latter is indicated by $DOCKER_HOST, so Lando should use but ignores it.

So we explicitly specify the socket path in ~/.lando/config.yml.

engineConfig:
  host: 127.0.0.1
  port: 4333
  # Replace MY_UID with your actual UID.
  socketPath: /run/user/MY_UID/docker.sock

Running lando start now works on non-privileged ports (e.g. http://localhost:49180).

Remaining issues:

  • lando start will complain about port 443, as we can't open privileged ports without root.
  • Rootless Docker mode messes up permissions in our home directory.

This was referenced Feb 28, 2022
Closed
Open
@kyletaylored kyletaylored mentioned this issue Jun 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature Requesting that Lando do something new linux Deals specifically with Linux
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@stephang @pirog @reynoldsalec @0tofu