ひゃまだのblog

ひゃまだ(id:hymd3a)の趣味のブログ

DockerのrootlessでTensorflowを使うメモ

(2022-11-06 初稿 )

DebianのDockerもrootlessモードに対応しているとのことで、挑戦してみたメモ。メモにもならずlogかな。

最後に、Permission deniedエラーが出て、chmod -Rで逃げたけど、いいのかまだ模索中。

以下、参考にさせていただいたサイト。多謝。m(__)m

筆者の環境。ちなみに、lsb-release(アンダーバーでなくハイフン)とコマンド入力し、コマンドがないと慌てたのはここだけの話。

$ lsb_release -a
Distributor ID:    Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:    11
Codename:    bullseye

 

以下を順番に実行。ちなみに筆者は、既にDockerをrootfulでインストール済みなので必要なパッケージのみインストール

sudo apt install uidmap
sudo apt-get install dbus-user-session

インストール後、ログアウトして再ログイン。

slirp4netns --version
commit: 6a7b16babc95b6a3056b33fb45b74a6f62262dd4
libslirp: 4.4.0

バージョンを確認。4.0.0以上ならOK。未インストールの場合はインストール。

前述のとおり、既にrootfulでDockerをインストールしていたので、一旦、dockerを止める。

$ sudo systemctl disable --now docker.service docker.socket
$ dockerd-rootless-setuptool.sh install   #インストールしたいユーザアカウントで
[ERROR] Aborting because rootful Docker (/var/run/docker.sock) is running and accessible. Set --force to ignore.

dockerを止めたつもりだったが、まだ動いていたようなので、コメントのとおり--forceを付けて再挑戦。

$ dockerd-rootless-setuptool.sh --force install
[INFO] Creating /home/hoge/.config/systemd/user/docker.service
[INFO] starting systemd service docker.service
+ systemctl --user start docker.service
+ sleep 3
+ systemctl --user --no-pager --full status docker.service
● docker.service - Docker Application Container Engine (Rootless)
Loaded: loaded (/home/hoge/.config/systemd/user/docker.service; disabled; vendor preset: enabled)
     Active: active (running) since Fri 2022-11-04 15:18:03 JST; 3s ago
   Docs: https://docs.docker.com/go/rootless/
   Main PID: 3332 (rootlesskit)
      Tasks: 32
     Memory: 66.7M
        CPU: 703ms
     CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/docker.service
             ├─3332 rootlesskit --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
             ├─3342 /proc/self/exe --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
             ├─3361 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp 3342 tap0</

11月 04 15:18:03 mou dockerd-rootless.sh[3368]: time="2022-11-04T15:18:03.661130347+09:00" level=warning msg="Unable to find cpuset controller"
11月 04 15:18:03 mou dockerd-rootless.sh[3368]: time="2022-11-04T15:18:03.661890400+09:00" level=info msg="Loading containers: start."
11月 04 15:18:03 mou dockerd-rootless.sh[3368]: time="2022-11-04T15:18:03.666151823+09:00" level=info msg="skipping firewalld management for rootless mode"
11月 04 15:18:03 mou dockerd-rootless.sh[3368]: time="2022-11-04T15:18:03.830594829+09:00" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address"
11月 04 15:18:03 mou dockerd-rootless.sh[3368]: time="2022-11-04T15:18:03.832143337+09:00" level=info msg="failed to read ipv6 net.ipv6.conf.<bridge>.accept_ra" bridge=docker0 syspath=/proc/sys/net/ipv6/conf/docker0/accept_ra
11月 04 15:18:03 mou dockerd-rootless.sh[3368]: time="2022-11-04T15:18:03.832729322+09:00" level=info msg="failed to read ipv6 net.ipv6.conf.<bridge>.accept_ra" bridge=docker0 syspath=/proc/sys/net/ipv6/conf/docker0/accept_ra
11月 04 15:18:03 mou dockerd-rootless.sh[3368]: time="2022-11-04T15:18:03.938168530+09:00" level=info msg="Loading containers: done."
11月 04 15:18:03 mou dockerd-rootless.sh[3368]: time="2022-11-04T15:18:03.952969688+09:00" level=info msg="Docker daemon" commit=3056208 graphdriver(s)=fuse-overlayfs version=20.10.21
11月 04 15:18:03 mou dockerd-rootless.sh[3368]: time="2022-11-04T15:18:03.953873222+09:00" level=info msg="Daemon has completed initialization"
11月 04 15:18:04 mou dockerd-rootless.sh[3368]: time="2022-11-04T15:18:04.033677440+09:00" level=info msg="API listen on /run/user/1000/docker.sock"
+ DOCKER_HOST=unix:///run/user/1000/docker.sock /usr/bin/docker version
Client: Docker Engine - Community
 Version:           20.10.21
 API version:       1.41
 Go version:        go1.18.7
 Git commit:        baeda1f
 Built:             Tue Oct 25 18:02:28 2022
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.21
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.18.7
  Git commit:       3056208
  Built:            Tue Oct 25 18:00:19 2022
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.9
  GitCommit:        1c90a442489720eec95342e1789ee8a5e1b9536f
 runc:
  Version:          1.1.4
  GitCommit:        v1.1.4-0-g5fd4c4d
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
+ systemctl --user enable docker.service
Created symlink /home/hoge/.config/systemd/user/default.target.wants/docker.service → /home/hhoge/.config/systemd/user/docker.service.
[INFO] Installed docker.service successfully.
[INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service`
[INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger hoge`

[INFO] Creating CLI context "rootless"
Successfully created context "rootless"
[INFO] Use CLI context "rootless"
Current context is now "rootless"

[INFO] Make sure the following environment variables are set (or add them to ~/.bashrc):
export PATH=/usr/bin:$PATH
Some applications may require the following environment variable too:
export DOCKER_HOST=unix:///run/user/1000/docker.sock

/usr/binには既にPathが通っていたので、DOCKER_HOSTのみ.bashrcに追加。

echo "export DOCKER_HOST=unix:///run/user/1000/docker.sock" >> .bashrc

一般Userでdockerのバージョンを確認。

$ docker version
Client: Docker Engine - Community
 Version:           20.10.21
 API version:       1.41
 Go version:        go1.18.7
 Git commit:        baeda1f
 Built:             Tue Oct 25 18:02:28 2022
 OS/Arch:           linux/amd64
 Context:           rootless
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.21
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.18.7
  Git commit:       3056208
  Built:            Tue Oct 25 18:00:19 2022
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.9
  GitCommit:        1c90a442489720eec95342e1789ee8a5e1b9536f
 runc:
  Version:          1.1.4
  GitCommit:        v1.1.4-0-g5fd4c4d
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Context:がrootlessになってれば良いみたい。

 

ユーザ権限でdockerを起動

systemctl --user start docker

再起動後もユーザ権限でdockerが起動するように

systemctl --user enable docker
sudo loginctl enable-linger $(whoami)

ここで、PCを再起動。

試しに例題にあったWebサーバでテスト。

$ docker run -d -p 8080:80 --rm --name httpd httpd
Unable to find image 'httpd:latest' locally
latest: Pulling from library/httpd
e9995326b091: Pull complete 
ee55ccd48c8f: Pull complete 
bc66ebea7efe: Pull complete 
5d0f831d3c0b: Pull complete 
e559e5380898: Pull complete 
Digest: sha256:5fa96551b61359de5dfb7fd8c9e97e4153232eb520a8e883e2f47fc80dbfc33e
Status: Downloaded newer image for httpd:latest
23b7bf4179a1986c18a215a77136525ba193de22a46c92a338cf5aba0f6ceb56

クライアントで確認

$ curl localhost:8080
<html><body><h1>It works!</h1></body></html>

psで確認。

$ ps aux | grep docker
hoge        3332  0.0  0.5 1228708 20400 ?       Ssl  15:18   0:00 rootlesskit --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
hoge        3342  0.0  0.5 1154896 19628 ?       Sl   15:18   0:00 /proc/self/exe --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
hoge        3368  1.0  2.1 1594892 83828 ?       Sl   15:18   0:09 dockerd
hoge        3383  0.3  1.3 1274040 51424 ?       Ssl  15:18   0:02 containerd --config /run/user/1000/docker/containerd/containerd.toml --log-level info
hoge        3885  0.0  0.0   6032  2160 ?        Ss   15:27   0:00 fuse-overlayfs -o lowerdir=/home/hoge/.local/share/docker/fuse-overlayfs/l/PVZN2LPXHNCEW6DZSHTSTSCZRQ:/home/hoge/.local/share/docker/fuse-overlayfs/l/MPE6K4AGAGC5Y7P2GYJ6KVZCWX:/home/hoge/.local/share/docker/fuse-overlayfs/l/MRQCMVX2BZK3T7KADHXN5LP6CL:/home/hoge/.local/share/docker/fuse-overlayfs/l/2PBHBPS6O6Y2Z3I6OQGPGSNSDA:/home/hoge/.local/share/docker/fuse-overlayfs/l/CRSHLJ6EU2WCATEYB2T7TDM5S7:/home/hoge/.local/share/docker/fuse-overlayfs/l/YGQMMNV4FWTRKYIDGK7L7HVLC2,upperdir=/home/hoge/.local/share/docker/fuse-overlayfs/9bd0acc378b29808b2bf4ec9629e44e0de48eb649bde18decc3202642206407c/diff,workdir=/home/hoge/.local/share/docker/fuse-overlayfs/9bd0acc378b29808b2bf4ec9629e44e0de48eb649bde18decc3202642206407c/work /home/hoge/.local/share/docker/fuse-overlayfs/9bd0acc378b29808b2bf4ec9629e44e0de48eb649bde18decc3202642206407c/merged
hoge        3896  0.0  0.1 1151580 7152 ?        Sl   15:27   0:00 /usr/bin/rootlesskit-docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 8080 -container-ip 172.17.0.2 -container-port 80
hoge        3902  0.0  0.1 1074732 7032 ?        Sl   15:27   0:00 docker-proxy -container-ip 172.17.0.2 -container-port 80 -host-ip 127.0.0.1 -host-port 8080 -proto tcp
hoge        3919  0.0  0.2 712200 10976 ?        Sl   15:27   0:00 /usr/bin/containerd-shim-runc-v2 -namespace moby -id 23b7bf4179a1986c18a215a77136525ba193de22a46c92a338cf5aba0f6ceb56 -address /run/user/1000/docker/containerd/containerd.sock
hoge        4330  0.0  0.0   4428   704 pts/0    S+   15:32   0:00 grep docker

ルートで確認して、動いてなければOK。

$ sudo docker ps
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

dockerのサービスを確認。

$ cat .config/systemd/user/docker.service 
[Unit]
Description=Docker Application Container Engine (Rootless)
Documentation=https://docs.docker.com/go/rootless/

[Service]
Environment=PATH=/usr/bin:/sbin:/usr/sbin:/home/hoge/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
ExecStart=/usr/bin/dockerd-rootless.sh 
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
StartLimitBurst=3
StartLimitInterval=60s
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
Delegate=yes
Type=simple
KillMode=mixed [Install] WantedBy=default.target

dockerのUserステータスを確認。

$ systemctl --user status docker
● docker.service - Docker Application Container Engine (Rootless)<
     Loaded: loaded (/home/hoge/.config/systemd/user/docker.service; enabled; vendor prese>
     Active: active (running) since Fri 2022-11-04 15:18:03 JST; 18min ago
       Docs: https://docs.docker.com/go/rootless/
   Main PID: 3332 (rootlesskit)
      Tasks: 61
     Memory: 240.6M
        CPU: 20.085s
     CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/docker.service
             ├─3332 rootlesskit --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto -></

11月 04 15:18:03 mou dockerd-rootless.sh[3368]: time="2022-11-04T15:18:03.832729322+09:00">
11月 04 15:18:03 mou dockerd-rootless.sh[3368]: time="2022-11-04T15:18:03.938168530+09:00">
11月 04 15:18:03 mou dockerd-rootless.sh[3368]: time="2022-11-04T15:18:03.952969688+09:00">
11月 04 15:18:03 mou dockerd-rootless.sh[3368]: time="2022-11-04T15:18:03.953873222+09:00">
11月 04 15:18:04 mou dockerd-rootless.sh[3368]: time="2022-11-04T15:18:04.033677440+09:00">
11月 04 15:27:44 mou dockerd-rootless.sh[3383]: time="2022-11-04T15:27:44.933911582+09:00">
11月 04 15:27:44 mou dockerd-rootless.sh[3383]: time="2022-11-04T15:27:44.934044444+09:00">
11月 04 15:27:44 mou dockerd-rootless.sh[3383]: time="2022-11-04T15:27:44.934080893+09:00">
11月 04 15:27:44 mou dockerd-rootless.sh[3383]: time="2022-11-04T15:27:44.936648060+09:00">
11月 04 15:27:45 mou dockerd-rootless.sh[3959]: time="2022-11-04T15:27:45+09:00" level=war>

tensorflowの実行

$ cd doct-tf     # 自分のtensorflow working directory
$ /usr/bin/docker run -it -u $(id -u):$(id -g) --rm -v $PWD:/tmp -w /tmp tensorflow/tensorflow bash
$ tf-docker /tmp > pip install -r requirements.txt

pipが [Errno 13] Permission denied 他のTerminalで、dokerのrootディレクトリを777のパーミッション

$ sudo chmod -R 777 .local/share/docker
tf-docker /tmp > python example.py
tensorflow docker python [Errno 13] Permission

またも、パーミッションエラーなので、他のTerminalでパーミッションを777に変更

$ sudo chmod -R 777 ./doc-rf

以上でrootlessで無事動作するようになったけど、dockerとUserのWorking DirectoryのPermissionを777して解決するのが良いのかどうか… どなたか教えてください。m(__)m

関連ページ