Hi there,

we tried getting rootlesskit (with slirp4netns) by following the documentation over here: https://wiki.archlinux.org/title/docker#IPv6 to enable outgoing traffic to IPv6-only hosts and even added the corresponding flag to the rootlesskit command in the systemd unit. Is there a way to enable rootless containers to connect to IPv6 hosts? And if so, might it make sense to include its configuration here as a variable? Would love to collaborate on this but at the moment I'm out of ideas.

Many thanks for considering!

I ran this role against a server where the docker_user differed from the ansible_user, all using default options.

The tasks included these:

It seems it modified the .bash_aliases of the ansible_user, and not the docker_user.

The error seems to be here:

https://github.com/konstruktoid/ansible-docker-rootless/blob/88fd38143bdc436355d914525caff1e5db95b3f4/tasks/main.yml#L49

Should this be the docker_user? (Also affects surrounding tasks.)

Thanks for this awesome role.

On Debian 10 (buster) I needed to install python3-setuptools to install docker via pip.
To run actual containers, I also needed python3-six.

I suggest to add both as dependencies and install automatically.

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: Cannot find preset's package (github>whitesource/merge-confidence:beta)

https://github.com/moby/moby/releases

Hello, thank you so much for this code. The rootless docker installs fine and docker is available to the dedicated user. I can run docker ps and see there are no containers. However, when I try to deploy the container using Ansible. I am getting the following error:

FAILED! => {"changed": false, "msg": "Failed to import the required Python library (Docker SDK for Python: docker (Python >= 2.7) or docker-py (Python 2.6)) on host machine's Python /usr/bin/python3. Please read module documentation and install in the appropriate location. If the required library is installed, but Ansible is using the wrong Python interpreter, please consult the documentation on ansible_python_interpreter, for example via pip install dockerorpip install docker-py (Python 2.6). The error was: No module named 'requests'"}

I have logged into dedicated user and checked version of Python, and everything checks out. Any help would be much appreciated.

Hi,
firstly thank for this good job. Do you plan to use an private registry with authentication to pull your images? Or do you see a way to do this?

thx

https://github.com/konstruktoid/ansible-role-docker-rootless/blob/fd1739e085ac921bb8f39c944c57110f61436c10/tasks/main.yml#L41C29-L41C29

From

  when: docker_compose and ansible_os_family == "Debian"

To

   when: docker_compose 

Can support Almalinux 9.2, I tested today.

Is there any specific reason why it is only supported for Debian as of now ?

{{ tools.context.actor }}: {{ tools.context.sha }}

When I am trying to connect to a rootless daemon via e.g. the Docker SDK for Python, I'm getting an error message if the DOCKER_HOST variable is not globally available on the host where the daemon is running. A simple fix would be to set this variable globally, e.g. in /etc/environment.

Please let me know if there is a more elegant solution or if this is out of scope.

Many thanks!

I installed this on the raspbian OS 64 bit on my raspberry Pi 4. The installation went successful.
but when I tried to run the hello-world container. I got the following error.

Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
7050e35b49f5: Pull complete
Digest: sha256:62af9efd515a25f84961b70f973a798d2eca956b1b2b026d0a4a63a3b0b6a3f2
Status: Downloaded newer image for hello-world:latest
docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: unable to apply cgroup configuration: unable to start unit "docker-eaebeca8db0556fe38e61fe4b32d86e1f09f91772da385a8542dbd7933d1e559.scope" (properties [{Name:Description Value:"libcontainer container eaebeca8db0556fe38e61fe4b32d86e1f09f91772da385a8542dbd7933d1e559"} {Name:Slice Value:"user.slice"} {Name:Delegate Value:true} {Name:PIDs Value:@au [5611]} {Name:MemoryAccounting Value:true} {Name:CPUAccounting Value:true} {Name:IOAccounting Value:true} {Name:TasksAccounting Value:true} {Name:DefaultDependencies Value:false}]): Interactive authentication required.: unknown.

I had to tweak the ansible environment variables so that the aarch64 docker is installed. Here are my variables.

docker_compose: true
docker_user_bashrc: true
docker_url: "https://download.docker.com/linux/static/stable/aarch64"
docker_release_shasum: "aa2b2da571fb9160df87fd5a831f203fb97655e35fb9c4e8d46e72078ae16acf"
docker_release_rootless_shasum: "cd9256637a23164f9d86b4e6c5cd5ee4c4e7e8831ea473a855734b70612fe594"
docker_user: utkar

Can you please assist regarding this? I believe it's an issue with docker itself and not related to ansible.
Where can i find the verbose logs? How do we debug this?

Is it planned or are you interested in to make this current example to a standalone ansible role to install rootless docker? From a first look this means removing the nginx stuff and maybe also adding support for installation of rootless docker for multiple users

Additionally you deploy a rootfull systemd service here but stop it afterwards, what's the point?

The role should add the environment variables to .profile automatically.

Is there any specific reason why you push a README to the remote host instead of just adding the env variables for the docker_user?

Hi! Thanks for this awesome role. I'd like to begin consuming it, although I'm not sure that what is in galaxy is up to date with the current main branch that has more recent docker version (e.g. v0.1.0 in galaxy from 9mo ago does not contain 2ddeb3f).

What is the recommended way to consume this role? Should we be pulling directly from a git ref?

https://github.com/konstruktoid/ansible-docker-rootless/blob/7f6367ebd1949c61368aab06e4649461ab435991/templates/docker_rootless.service.j2#L11-L13

Hi !

I have a new request 🙂

Is it possible to create config file daemon.json ?
Example:

vars:
  docker_daemon_config:
    data-root: /app/docker
    dns:
      - 8.8.8.8
      - 8.8.4.4
tasks:
    - name: Create daemon.json config file
      copy:
        dest: "/home/{{ docker_user }}/.config/docker/daemon.json"
        content: "{{ docker_daemon_config | to_nice_json }}" 
      notify:
        - Restart rootless docker

Thx !

:

The readme file has a note directing to a documentation branch for role examples and documentation but this branch does not exist.

Hi,

Docker compose installation is not the same as Official docker compose installation.

docker compose command don't work.

docker: 'compose' is not a docker command.
See 'docker --help'

But 'docker-compose' command work well.

I add a task to create docker plugins directory and I change the destination path when downloading docker-compose:

- name: Create docker plugins directory
  file:
    path: "{{ docker_user_info.home }}/.docker/cli-plugins"
    state: directory
    owner: "{{ docker_user }}"
    group: "{{ docker_user }}"

- name: Download docker-compose
  become: true
  become_user: "{{ docker_user }}"
  ansible.builtin.get_url:
    url: "https://github.com/docker/compose/releases/download/v{{ docker_compose_release }}/docker-compose-linux-x86_64"
    dest: "{{ docker_user_info.home }}/.docker/cli-plugins/docker-compose"
    checksum: sha256:{{ docker_compose_release_shasum }}
    owner: "{{ docker_user }}"
    mode: "0755"
  when: docker_compose
  tags:
    - docker-compose

Now I can use docker compose command.

Hello,

i'm finding a strange issue with stat tasks inside bashrc.yml

my local configuration

$ ansible --version
ansible [core 2.14.4]
  config file = None
  configured module search path = ['/Users/myuser/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/homebrew/lib/python3.11/site-packages/ansible
  ansible collection location = /Users/myuser/.ansible/collections:/usr/share/ansible/collections
  executable location = /opt/homebrew/bin/ansible
  python version = 3.11.3 (main, Apr  7 2023, 21:05:46) [Clang 14.0.0 (clang-1400.0.29.202)] (/opt/homebrew/opt/[email protected]/bin/python3.11)
  jinja version = 3.1.2
  libyaml = True

# ansible-galaxy --version
ansible-galaxy [core 2.14.4]
  config file = None
  configured module search path = ['/Users/myuser/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/homebrew/lib/python3.11/site-packages/ansible
  ansible collection location = /Users/myuser/.ansible/collections:/usr/share/ansible/collections
  executable location = /opt/homebrew/bin/ansible-galaxy
  python version = 3.11.3 (main, Apr  7 2023, 21:05:46) [Clang 14.0.0 (clang-1400.0.29.202)] (/opt/homebrew/opt/[email protected]/bin/python3.11)
  jinja version = 3.1.2
  libyaml = True

$ ansible-galaxy list | grep docker_rootless
- konstruktoid.docker_rootless, v0.15.0

The destination server configuration:

# uname -a
Linux <XXXX> 5.15.0-70-generic #77-Ubuntu SMP Tue Mar 21 14:02:37 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.2 LTS"

# python3 --version
Python 3.10.6

this is my role task content:

...
- name: Install Docker rootless
  include_role:
    name: konstruktoid.docker_rootless
  vars:
    docker_user: "{{ provisioning_username | mandatory }}"
    docker_compose: true
    docker_user_bashrc: true
...

this is the command output of

ansible-playbook -u root -i inventories/test/hosts webserver.yml -vvv --extra-vars "var_files_path=./inventories/test/host_vars/default.yml"

I'm connecting as root to the server. The {{provisioning_username}} variable is "deployer" which was created in a previous task

command output:

...
...
TASK [konstruktoid.docker_rootless : Stat Docker user .bashrc] *********************************************************************************************************************************************
task path: /Users/myuser/.ansible/roles/konstruktoid.docker_rootless/tasks/bashrc.yml:2

ok: [[email protected]] => {
    "changed": false,
    "invocation": {
        "module_args": {
            "checksum_algorithm": "sha1",
            "follow": false,
            "get_attributes": true,
            "get_checksum": true,
            "get_md5": false,
            "get_mime": true,
            "path": "/home/deployer/.bashrc"
        }
    },
    "stat": {
        "exists": false
    }
}

TASK [konstruktoid.docker_rootless : Create Docker user .bashrc] *******************************************************************************************************************************************
task path: /Users/myuser/.ansible/roles/konstruktoid.docker_rootless/tasks/bashrc.yml:8
fatal: [[email protected]]: FAILED! => {
    "msg": "The conditional check 'not docker_user_bashrc.stat.exists' failed. The error was: error while evaluating conditional (not docker_user_bashrc.stat.exists): 'bool object' has no attribute 'stat'. 'bool object' has no attribute 'stat'\n\nThe error appears to be in '/Users/myuser/.ansible/roles/konstruktoid.docker_rootless/tasks/bashrc.yml': line 8, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Create Docker user .bashrc\n  ^ here\n"
}

The previous times I used my procedure ran smoothly, in particular the docker rootless installation part, based on your awesome project.

What's wrong this time?

Thank you in advance

I run reverse proxies in a docker rootless setup and need source IP propagation. Thus in my employments I extended your role with the following task for changing the RootlessKit's port driver:

- name: Configure docker source IP propagation
  # https://docs.docker.com/engine/security/rootless/#docker-run--p-does-not-propagate-source-ip-addresses
  community.general.ini_file:
    path: ~/.config/systemd/user/docker.service.d/override.conf
    section: Service
    option: Environment
    values:
      - '"DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns"'
      - '"DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns"'
    state: present
  become: true
  become_user: "{{ docker_user }}"
  notify: docker_service_restart

Would you be interested in a pull request extending the role with this functionality? We could introduce a var for the port driver, the default being builtin as is now but also providing slirp4netns and perhaps pasta.

If so I'd be willing to make this contribution.

So I want to install rootless docker for the user I'm installing most other services for in my playbook. Apart from the alias not being created for some reason, I don't want to have to use sudo in order to connect to the daemon my user is running. As far as I can see, that's the only option in the template, but for my case, setting the DOCKER_HOST env variable would suffice.

Is this something we can implement? I think it would be straightforward and it has a very common use case in my opinion.

Thanks for this great and convenient Ansible role!

This line hardcodes Docker-compose for x86_64 bits. I think that should be good to have an e.g. docker_arch variable so that the caller can tweak it.

I just installed on an ARM server by manually downloading and overwriting the docker-compose executable. Sorry I did not take time to do an MR (I'll let you choose this variable name to avoid bikeshedding :D ) but that would be a great addition for this role

Hey, thanks for the role again. I was just in the process of creating a PR which adds a .bashrc to the docker_user, when I saw the note in your README.md:

Note that the sole purpose of the docker_user is to run the Docker daemon and related containers, and not for system administration or used as a regular user.

It somehow feels strange to me to use sudo every time, I run the docker command. Because I want docker to not have admin privileges. So my idea was to just switch into the user (sudo su docker_user) and than run commands as if it was rootful.

Why are you arguing against such a use case? Would you still accept a PR with an optional .bashrc?

$ whoami
dockeruser

$ cat .bashrc 
export XDG_RUNTIME_DIR="/run/user/1002"
export DOCKER_HOST="unix:///run/user/1002/docker.sock"
export PATH="~/bin:$PATH"

https://github.com/moby/moby/releases/tag/v23.0.4

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Replace pip with pipx (https://pypi.org/project/pipx/)

Hi @konstruktoid,

I am trying to run an instance of step-ca. As per the Dockerfile of this image the process inside the container is run as the step user which is not the root user. Since my docker imstallation is rootless, The step user inside the container doesn't have write access to the mounted volumes. This issue exists with other images as well where the process inside the container is not run as root.

I also verified that the host directory that is mounted on the container is owned by the dockeruser which is running the docker daemon as rootless.

I saw few articles online that maps the user id from host user to container user but so far I couldn't get it to work.
Could you please provide your 2 cents and assist on what I could be doing wrong?

Thanks & Regards,

Utkarsh Vishnoi

Hello,

Is there any way to skip handlers from running after all tasks? After some search on the web, it seems not avoidable.

Can you add a conditional check inside the Restart rootless docker to skip it?

I'll provide an example to be clear:

this is handlers/main.yml

---
- name: Restart rootless docker
  become: true
  become_user: "{{ docker_user }}"
  ansible.builtin.systemd:
    name: docker.service
    state: restarted
    scope: user
  when: not skip_service_restart

where skip_service_restart variable default is false

Alternatively, I could leverage ansible_skip_tags if you can add a tag to the task that I can use to avoid restart, something like:

---
- name: Restart rootless docker
  become: true
  become_user: "{{ docker_user }}"
  ansible.builtin.systemd:
    name: docker.service
    state: restarted
    scope: user
  tags: 
  - docker_rootless_restart_handler

Thank you in advance

In the bash completion script ~/.bash_completion.d/docker a variable COMPOSE_PLUGIN_PATH is being set by running docker info, which is used to setup completion for docker compose. This command fails due to the completion scripts being sourced before the user PATH has been setup.

On Ubuntu 22.04 completion is first sourced from /etc/profile.d/bash_completion.sh before the users .bashrc, and then again from ~/.bash_completion setup by the role. Both of them is being sourced before the PATH set in the Ansible managed block.

This is visible when logging in as the docker user:

# su - docker
-bash: docker: command not found
-bash: docker: command not found
docker@myhost:~$

If I re-order the Ansible managed block in .bashrc, putting it on the top of the file, the second run (sourced from .bashrc) works:

# su - docker
-bash: docker: command not found
docker@myhost:~$

The second sourcing could be fixed by re-ordering the tasks adding to .bashrc, but I'm unsure how to best tackle the first one. Perhaps modifying the completion-script, using some other method to locate the compose plugin.

when I su as the user, the docker-compose is installed, however when trying to deploy the compose through ansible, it fails with the following

fatal: [10.1.0.5]: FAILED! => {"changed": false, "msg": "Unable to load docker-compose. Try `pip install docker-compose`. Error: Traceback (most recent call last):\n  File \"/tmp/ansible_community.docker.docker_compose_payload_7sod8ye4/ansible_community.docker.docker_compose_payload.zip/ansible_collections/community/docker/plugins/modules/docker_compose.py\", line 526, in <module>\nModuleNotFoundError: No module named 'compose'\n"}

 - name: Create and start services
          become: true
          become_user: "{{ docker_user }}"
          community.docker.docker_compose:
            project_src: ~/project/
            build: true
          register: output

I'd like to add support for exposing the Docker API via TCP like it is documented in the docker docs.

So far I tried extending templates/docker_rootless.service.j2:

• Add -H tcp://0.0.0.0:2376 to the ExecStart commands
• Add Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS=-p 0.0.0.0:2376:2376/tcp"

This does not seem to work. I guess it is about the space in the env variable, but I'm unsure.

Is this something someone already has tried?

I guess we could put that behind a variable and have it configurable by the user. Happy to provide a PR, but I can't get it running.