dynamicalsystem.com
homelab infrastructure services
1#!/bin/bash
2
3# Setup rootless Docker for tinsnip user
4
5set -euo pipefail
6
7log() {
8 echo "[Docker Setup] $*"
9}
10
11install_docker_rootless() {
12 local username="tinsnip"
13
14 log "Installing rootless Docker for $username..."
15
16 # Check if Docker is already installed for the user
17 if sudo -u "$username" -i bash -c "command -v docker &>/dev/null"; then
18 log "Docker already installed for $username"
19 return 0
20 fi
21
22 # Install dependencies
23 log "Installing Docker dependencies..."
24 sudo apt-get update -qq
25 sudo apt-get install -y \
26 uidmap \
27 dbus-user-session \
28 systemd-container \
29 fuse-overlayfs \
30 slirp4netns
31
32 # Install Docker rootless as tinsnip user
33 log "Installing Docker rootless mode..."
34 sudo -u "$username" -i bash << 'EOF'
35# Set up environment
36export XDG_RUNTIME_DIR=/run/user/$(id -u)
37
38# Download and run rootless installer
39curl -fsSL https://get.docker.com/rootless | sh
40
41# Add Docker binaries to PATH and set up environment
42echo 'export PATH=$HOME/bin:$PATH' >> ~/.bashrc
43echo 'export DOCKER_HOST=unix:///run/user/$(id -u)/docker.sock' >> ~/.bashrc
44echo 'export XDG_RUNTIME_DIR=/run/user/$(id -u)' >> ~/.bashrc
45
46# Also create a systemd environment file
47mkdir -p ~/.config/systemd/user
48cat > ~/.config/systemd/user/docker.conf << 'ENVEOF'
49[Manager]
50DefaultEnvironment="PATH=/home/tinsnip/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
51DefaultEnvironment="DOCKER_HOST=unix:///run/user/1010/docker.sock"
52DefaultEnvironment="XDG_RUNTIME_DIR=/run/user/1010"
53ENVEOF
54
55# Source the new PATH
56source ~/.bashrc
57
58# Ensure systemd user session is running
59if ! systemctl --user status >/dev/null 2>&1; then
60 echo "Starting systemd user session..."
61 # This creates the user session if it doesn't exist
62 loginctl enable-linger tinsnip
63fi
64
65# Enable Docker service
66systemctl --user enable docker.service
67systemctl --user start docker.service
68
69# Wait for Docker to start
70sleep 5
71
72# Test Docker
73if docker version &>/dev/null; then
74 echo "Docker rootless installation successful"
75else
76 echo "Docker installation may have issues"
77 exit 1
78fi
79EOF
80
81 if [[ $? -eq 0 ]]; then
82 log "Docker rootless installation completed successfully"
83 else
84 log "Warning: Docker installation may have issues"
85 fi
86}
87
88configure_docker() {
89 local username="tinsnip"
90
91 log "Configuring Docker for $username..."
92
93 # Check if Docker service exists first
94 if ! sudo -u "$username" -i bash -c 'export XDG_RUNTIME_DIR=/run/user/$(id -u); systemctl --user list-unit-files | grep -q docker.service'; then
95 log "Docker service not found for $username, skipping configuration"
96 return 0
97 fi
98
99 # Create Docker config directory
100 sudo -u "$username" mkdir -p /home/"$username"/.docker
101
102 # Create daemon.json with useful defaults
103 sudo -u "$username" tee /home/"$username"/.docker/daemon.json > /dev/null << 'EOF'
104{
105 "log-driver": "json-file",
106 "log-opts": {
107 "max-size": "10m",
108 "max-file": "3"
109 },
110 "storage-driver": "overlay2"
111}
112EOF
113
114 # Restart Docker to apply config if service exists
115 log "Restarting Docker service to apply configuration..."
116 sudo -u "$username" -i bash -c 'export XDG_RUNTIME_DIR=/run/user/$(id -u); systemctl --user restart docker.service'
117
118 log "Docker configuration complete"
119}
120
121enable_privileged_ports() {
122 local username="tinsnip"
123
124 log "Enabling privileged port binding for rootless Docker..."
125
126 # Find rootlesskit binary
127 local rootlesskit_path
128 rootlesskit_path=$(sudo -u "$username" -i bash -c 'which rootlesskit 2>/dev/null')
129
130 if [[ -z "$rootlesskit_path" ]]; then
131 log "WARNING: rootlesskit not found, skipping privileged port configuration"
132 return 0
133 fi
134
135 # Set capability to allow binding to privileged ports
136 log "Setting CAP_NET_BIND_SERVICE on rootlesskit..."
137 sudo setcap cap_net_bind_service=ep "$rootlesskit_path"
138
139 if [[ $? -eq 0 ]]; then
140 log "Privileged port binding enabled for rootless Docker"
141 log "Restarting Docker to apply changes..."
142 sudo -u "$username" -i bash -c 'export XDG_RUNTIME_DIR=/run/user/$(id -u); systemctl --user restart docker.service'
143 else
144 log "WARNING: Failed to set capability on rootlesskit"
145 fi
146}
147
148main() {
149 log "Setting up rootless Docker for tinsnip..."
150
151 # Check if tinsnip user exists
152 if ! id "tinsnip" &>/dev/null; then
153 log "ERROR: tinsnip user does not exist. Run create_tinsnip_user.sh first."
154 exit 1
155 fi
156
157 install_docker_rootless
158
159 # Verify Docker installation before configuring
160 log "Verifying Docker installation..."
161 if sudo -u "tinsnip" -i bash -c 'command -v docker &>/dev/null'; then
162 log "Docker binary found, proceeding with configuration..."
163 configure_docker
164 enable_privileged_ports
165 else
166 log "ERROR: Docker binary not found for tinsnip user"
167 exit 1
168 fi
169
170 # Final verification
171 log "Performing final Docker verification..."
172 if sudo -u "tinsnip" -i bash -c 'docker version &>/dev/null'; then
173 log "Rootless Docker setup complete!"
174 log ""
175 log "Docker is now running for user 'tinsnip'"
176 log "To verify: sudo -u tinsnip docker version"
177 else
178 log "WARNING: Docker may not be working correctly"
179 log "Try: sudo -u tinsnip docker version"
180 fi
181}
182
183main "$@"