# EVA Lab - Rootless docker 使用說明 說明如何在 EVA Lab 的機器上使用 rootless docker [TOC] ## Limitations * 不可對外 TCP/UDP ports < 1024 * 其他限制請參見 [Known limitations - Run the Docker daemon as a non-root user (Rootless mode)](https://docs.docker.com/engine/security/rootless/#known-limitations) ## Notices * 支援以下 container 資源限制 * `cpu` * `cpuset` * `io` * `memory` * `pids` * 支援以下 docker runtimes :::info :bulb: 也可使用 `docker info | grep "Runtimes"` 查看目前支援的 runtimes ::: * `nvidia` * `runc` * docker runtime 預設使用 `runc` 如需使用 GPU，請參照 [How to use GPU in container](#How-to-use-GPU-in-container) * 基於安全性 :Warning:，未來將會開啟防火牆，限制對外服務 ## Get Started 如第一次使用此服務，請按照以下步驟進行初次設定 ```bash= # 設定 rootless 環境 dockerd-rootless-setuptool.sh install # 啟用開機時自動執行 docker 服務 systemctl --user enable docker loginctl enable-linger $(whoami) ``` ## Usage ### Daemon ```bash= # The daemon config is located at ~/.config/docker/daemon.json # The systemd unit file is installed as ~/.config/systemd/user/docker.service # 查看 docker 服務狀態 systemctl --user status docker # 啟動 docker 服務 systemctl --user start docker # 停止 docker 服務 systemctl --user stop docker.service docker.socket # 啟用開機時自動執行 docker 服務，並立即執行 systemctl --user enable --now docker # 關閉開機時自動執行 docker 服務，並立即執行 systemctl --user disable --now docker ``` ### Client #### Basic ```bash= # 查看 docker 資訊 docker info # 查看目前正在執行的 containers docker ps # 查看所有 containers docker ps -a # 啟動 container docker start {container} # 停止 container docker stop {container} # 重新啟動 container docker restart {container} # 執行 container docker run {...} ``` #### Clean cache ```bash= # 清理未使用的 images docker system prune # 清除所有 images docker system prune -a # 清理所有 volumes docker system prune --volumes ``` ### Others ```bash= # 切換 docker context docker context use rootless ``` ## Best Practices * Always use the resources as you need, please check [How to limit resources](#How-to-limit-resources) * Always specify gpu ids, instead of `--gpus all` * Clean cache periodically ## Tutorials ### How to limit resources Please refer to [Runtime options with Memory, CPUs, and GPUs](https://docs.docker.com/config/containers/resource_constraints/) ### How to use GPU in container #### Setup ```bash= # Make a folder for rootless docker config mkdir -p ~/.config/docker # Add nvidia runtime to rootless docker nvidia-ctk runtime configure --config ~/.config/docker/daemon.json --runtime=docker # Restart docker.service systemctl --user restart docker ``` #### Sample usage ```bash= # Run nvidia-smi docker run --rm --runtime=nvidia --gpus all ubuntu nvidia-smi # Specify gpu ids & run nvidia-smi docker run --rm --runtime=nvidia --gpus '"device=0,1,2,3"' ubuntu nvidia-smi ``` ### How to set nvidia runtime as default :::warning :warning: It is not recommended to set nvidia runtime as default. Please run container with `--runtime=nvidia` when you needed. ::: ```bash= # After running these commands, # you do not need to add --runtime=nvidia to docker run command anymore. # Edit daemon.json nano ~/.config/docker/daemon.json # Add default-runtime config like below { "default-runtime": "nvidia", "runtimes": {...} } # Reload docker config systemctl --user reload docker # Check default runtime docker info | grep "Default Runtime" ``` ## Troubleshooting ### Ping doesn't work 請聯絡網管 ### VSCode dev container #### Cannot run container as non-root user By default, the `root` user in rootless container is mapped to UID/GID of your host user. So, the simplest solution is to set the `remoteUser` as `root` in `devcontainer.json`. For other solutions, you could check [microsoft/vscode-remote-release - Issue #4646](https://github.com/microsoft/vscode-remote-release/issues/4646#issuecomment-1320313802). ### Others 請聯絡網管並截圖 `systemctl --user status docker` 資訊