创建docker组并将普通用户alfd加入docker组
groupadd -g 980 docker
usermod -aG docker alfd
检查是否成功创建并添加
cat /etc/group | grep docker
解包离线docker二进制文件包,并将docker目录下的文件复制到/usr/bin/下
tar zxvf docker*.tgz
\cp -f docker/* /usr/bin/
在/etc/systemd/system下创建docker.service文件,并给该文件赋权0755
vi /etc/systemd/system/docker.service
chmod 0755 /etc/systemd/system/docker.service
在docker.service内写入内容
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
[Service]
Type=notify
Group=docker
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd --selinux-enabled=false
ExecReload=/bin/kill -s HUP $MAINPID
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
#TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
重载systemctl单元文件、设置开机自启并启动docker,并检查启动是否正常
RHEL7
systemctl daemon-reload
systemctl enable docker
systemctl start docker
systemctl status docker
RHEL8
systemctl daemon-reload
systemctl enable --now docker
systemctl status docker
切换到普通用户,验证能否使用docker
su - alfd
docker ps
踩坑1:二进制文件的SELiunx安全上下文
如果开启了SELinux,为确保二进制文件的安全上下文为unconfined_u:object_r:bin_t:s0
而不是unconfined_u:object_r:default_t:s0
,务必使用cp命令而不是mv命令,否则执行systemctl start docker.servie
时会失败,同时执行journalctl -xe
可以看到如下错误
docker.service: Failed at step EXEC spawning /usr/bin/dockerd: Permission denied
如果已经用mv移动了二进制文件,请重新执行第三步
小技巧
在本次实践中get的小技巧
将ls列出的文件从/usr/bin下删除
ls | xargs -I {} rm /usr/bin/{}
参考资料:
发表回复