Run environments on external servers without root access, utilizing rootless Docker
We recently encountered two similar cases with specific requirements, so I’ll document how we addressed them. This might be useful for others with similar needs or for extending L3D to support such scenarios.
The primary request from the hosting company was that root access would not be granted, as they manage the server and its software. We are responsible only for everything running inside the Docker containers.
We encountered a few challenges during setup:
- Configuring the GitLab runner within a Docker container
- Insufficient permissions to create projects in the /drupal/* directory, which required moving the projects to our home directory
- We also faced an issue with insufficient permissions to move files and database dumps into container volumes
- Permission issues with the Borgmatic (backup) container volume
- Permission issues with the cron container volume / docker socket
I'll provide the solutions for these issues in the comments.
Activity
added Triage label
- Configuring the GitLab runner within a Docker container due to rootless Docker - we had this issue
ERROR: Failed to remove network for build ERROR: Preparation failed: permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get " http://%2Fvar%2Frun%2Fdocker.sock/v1.44/info ": dial unix /var/run/docker.sock: connect: permission denied (docker.go:1016:0s)we had to do 2 changes to fix this:
a) in the GitLab runner config, instead of using volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/drupal/676:/data"] We had to use: volumes = ["/run/user/1001/docker.sock:/var/run/docker.sock", "/drupal/676:/data"] (1001 is our user uid)
b) when starting a gitlab-runner container - we had to use the same volume for it:
{ "Type": "bind", "Source": "/run/user/1001/docker.sock", "Destination": "/var/run/docker.sock", "Mode": "", "RW": true, "Propagation": "rprivate" },- Insufficient permissions to create projects in the /drupal/* directory, which required moving the projects to our home directory
For this, I have created a small patch:
docker4drupal-custom-root.patch
And then I added the next line to the .lakedrops.yml file:
docker4drupal: customRoot: /home/myuser01- We also faced an issue with insufficient permissions to move files and database dumps into container volumes
The solution for this issue involved using
docker cpcommands to copy files directly into the containers. Additionally, when file or directory permissions needed to be changed, the following command helpeddocker exec -it --user root (or www-data) container_name bash(ssh as root into the container)- Permission issues with the Borgmatic (backup) container volume the error:
Error response from daemon: error while creating mount source path '/usr/local/bin/alertalerta.py': mkdir /usr/local/bin/alertalerta.py: permission deniedHere's the patch that allowed us to change
/usr/local/bin/alertalerta.pyintohome/myuser01/bin/alertalerta.py- Permission issues with the cron container volume / docker socket
cron-1 | 2024-12-16T05:35:00.047Z common.go:125 ▶ NOTICE [Job "Drupal Cron" (62f26c619956)] Started - sh -c "cd /var/www/html && /var/www/html/vendor/bin/drush cron" cron-1 | 2024-12-16T05:35:00.048Z common.go:121 ▶ ERROR [Job "Drupal Cron" (62f26c619956)] Finished in "1.321605ms", failed: true, skipped: false, error: error creating exec: Post "http://unix.sock/containers/drupal_project_develop-php-1/exec": dial unix /var/run/docker.sock: connect: permission deniedHere's the patch we created: docker4drupal-cron-rootless-docker.patch
We have also added this to the .lakedrops.yml file:
docker4drupal: customDockerSocket: /run/user/1001/docker.sockadded dormant label
removed dormant label
