Debian/Ubuntu-based images

[mLupine]

Hi,

Currently all image variants are based on Alpine. It's totally fine, in most cases this is the best choice for the container OS. However, some cases require a different OS to be used while still having to use Docker in Docker. I was successful in running creating a Debian-based DinD image using most of the scripts found in this repo without many changes, so it definitely can be done. Hence my question: wouldn't it be a good idea to add an official Docker image based on an OS other than Alpine?

If there's a green light on that, you can count on me to update the templates and scripts and prepare a PR with needed changes.

M.

[tianon]

See #127, where this has been discussed previously 😅

[mLupine]

Damn, I've tried searching for that before but GitHub's search engine is far from perfect and I thought that the subject hadn't been touched yet 😉

Nevertheless, my use case requires me to use a non-Alpine OS — I'm working on containerizing a self-hosted GitHub Actions runner which does not support Alpine (and by the looks of it, it's not going to in a foreseeable future) so I'm going to have to maintain a Debian image on my own. I just thought that I could share it so that others could benefit from it too.

If you ever reconsider the decision, feel free to ping me here and I'll be happy to chip in 😊

[tianon]

Heh, on the side, I personally maintain 2-3 separate Debian-based Docker-in-Docker images for my own purposes, but each of them pulls from a different source of very specific Docker binaries (so Debian was chosen in one case because it's my personal preference and in the other because the binaries I'm consuming are in .deb files). 😄

If what you're looking for is just a "Something Else"-based Docker-in-Docker image, here's the simplest method I can think of:

FROM debian:buster-slim

RUN set -eux; \
	apt-get update; \
	apt-get install -y --no-install-recommends \
		ca-certificates \
		iptables \
		openssl \
		pigz \
		xz-utils \
	; \
	rm -rf /var/lib/apt/lists/*

ENV DOCKER_TLS_CERTDIR=/certs
RUN mkdir /certs /certs/client && chmod 1777 /certs /certs/client

COPY --from=docker:20.10.5-dind /usr/local/bin/ /usr/local/bin/

VOLUME /var/lib/docker

ENTRYPOINT ["dockerd-entrypoint.sh"]
CMD []

(Of course, the FROM and the dependencies installation could be swapped out for Ubuntu, etc etc etc as desired. 👍)

[rafaelgaspar]

Hi,

I think that with dind-rootless that becomes even more important, since it falls back to vfs on alpine.

Or maybe install fuse-overlayfs in alpine.

[mbanders]

@tianon Thanks for giving that example! This is what I've been looking for.

I'm comparing your Dockerfile example with the official 20.10 Dockerfile to see what you changed.

It looks like you don't do anything to the file /etc/nsswitch.conf. I don't totally understand what that step accomplished anyway.

You also don't copy over modprobe.sh - is that simply not needed for anything?

You also added the command VOLUME /var/lib/docker, can I ask why that was needed in this Debian based image but not in the official alpine based image?

Edit: Looking more closely, it's clear I don't know the difference between the docker 20.10 vs 20.10-dind. I think what I'm looking for is 20.10 based on debian/ubuntu.

[tianon]

It looks like you don't do anything to the file /etc/nsswitch.conf. I don't totally understand what that step accomplished anyway.

That's an Alpine-Linux-plus-Go-ism (not needed for distributions which already use nsswitch.conf).

You also don't copy over modprobe.sh - is that simply not needed for anything?

You also added the command VOLUME /var/lib/docker, can I ask why that was needed in this Debian based image but not in the official alpine based image?

This is dind vs cli -- if you want to run actual Docker-in-Docker, you'll want both.

Edit: Looking more closely, it's clear I don't know the difference between the docker 20.10 vs 20.10-dind. I think what I'm looking for is 20.10 based on debian/ubuntu.

The docker:20.10 image is intended to be CLI-only and docker:20.10-dind includes/enables the actual Engine for full Docker-in-Docker (not just Docker-CLI-inside-Docker-container-talking-to-Docker-Engine-on-the-host-via-bind-mounted-docker.sock, which is not Docker-in-Docker).

[wt-asw]

Heh, on the side, I personally maintain 2-3 separate Debian-based Docker-in-Docker images for my own purposes, but each of them pulls from a different source of very specific Docker binaries (so Debian was chosen in one case because it's my personal preference and in the other because the binaries I'm consuming are in .deb files). 😄

If what you're looking for is just a "Something Else"-based Docker-in-Docker image, here's the simplest method I can think of:

FROM debian:buster-slim

RUN set -eux; \
	apt-get update; \
	apt-get install -y --no-install-recommends \
		ca-certificates \
		iptables \
		openssl \
		pigz \
		xz-utils \
	; \
	rm -rf /var/lib/apt/lists/*

ENV DOCKER_TLS_CERTDIR=/certs
RUN mkdir /certs /certs/client && chmod 1777 /certs /certs/client

COPY --from=docker:20.10.5-dind /usr/local/bin/ /usr/local/bin/

VOLUME /var/lib/docker

ENTRYPOINT ["dockerd-entrypoint.sh"]
CMD []

(Of course, the FROM and the dependencies installation could be swapped out for Ubuntu, etc etc etc as desired. 👍)

would this method also work with docker compose?

[tianon]

If you ask docker compose to build: an image for you from a Dockerfile, yes 😅

[wt-asw]

If you ask docker compose to build: an image for you from a Dockerfile, yes 😅

Haha sorry I should have clarified the question: I'm trying to set up an ubuntu:22.04 container with the ability to run docker and docker compose inside the container.

My current file looks a bit like:

FROM ubuntu:22.04
# Install Docker CLI
RUN curl -fsSL https://get.docker.com -o- | sh && \
    rm -rf /var/lib/apt/lists/* && \
    apt-get clean

# Install Docker-Compose
RUN curl -L -o /usr/local/bin/docker-compose \
    "https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-$(uname -s)-$(uname -m)" && \
    chmod +x /usr/local/bin/docker-compose

And then my docker compose file:

version: "3"
services:
  actions-runner:
    privileged: True
    build:
      context: .
      dockerfile: Dockerfile
    command: docker compose version
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"

The ultimate goal is to be able to scale up self hosted Github Actions runners that can use docker and docker compose from within the containers.

Sorry for the nooby question, I'm quite new to all this. I tried doing

COPY --from=docker/compose:dind /usr/local/bin/ /usr/local/bin/

Because I think that is more elegant however I couldnt get docker compose to work this way.

[tianon]

Ah, sorry, you're not even using this image (or its contents), so that's really a lot out of scope here. 😅

With the approach in #306 (comment), you "just" need to add the CLI plugins directory to the things you copy from the docker image and you'll have docker compose as well.

[wt-asw]

I see! Thank you! I have this working now. With dockerfile:

FROM ubuntu:latest
RUN apt-get update -y && apt-get upgrade -y
COPY --from=docker:dind /usr/local/bin /usr/local/bin
COPY --from=docker:dind /usr/libexec/docker/cli-plugins /usr/libexec/docker/cli-plugins

and then the compose file:

version: "3"
services:
  experiment:
    privileged: True
    build:
      context: .
      dockerfile: Dockerfile
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
    command: docker compose version # just for testing 

This is a far more elegant solution than my origional one. Thank you for your help 👍