Run Smart ID components in Docker Rootless mode
This article describes how to use another user than the default root user in Docker.
<SMARTIDHOME>
In this article, <SMARTIDHOME> refers to /home/nexus, but this can be different depending on the setup.
Depending on the infrastructure you want to run your applications on, you might want to use a specific user instead of the root user which is used by default from docker.
Docker 20.10 (and 19.03 as experimental feature) provides a rootless installation to fulfill this use case. The setup is described here: https://docs.docker.com/engine/security/rootless/ (The setup and url may change in later docker versions).
This article is applicable for Identity Manager, Physical Access, and Messaging.
Use docker.sock (for example for traefik)
In a normal docker installation, you can map the docker.sock file like this:
Mapping in a normal docker installation
/var/run/docker.sock:/var/run/docker.sock:ro
In rootless docker, this file does not exist on the host machine. If your user with which you start docker, has ID 1000 (you can find this by running id -u
) the mapping has to be like this:
Mapping in rootless docker
/run/user/1000/docker.sock:/var/run/docker.sock:ro
Map certificates
Make sure that the certificates in <SMARTIDHOME>/docker/compose/cacerts have the right permissions (755), if they don't you'll face issues when the containers try to use them.
Run this command to recursively set the permissions on all files inside the cacerts folder to 755:
chmod -R 755 <SMARTIDHOME>/docker/compose/cacerts
Troubleshooting
Here are some useful troubleshooting tips:
Docker rootless fails to install
Consider setting this environment variable:FORCE_ROOTLESS_INSTALL=1
When executing
systemctl --user
I have this following error :Failed to connect to bus: No such file or directory
There are only services enabled for the system, but not for the user.
See https://superuser.com/questions/1561076/systemctl-use-failed-to-connect-to-bus-no-such-file-or-directory-debian-9Application (like traefik) fails to open port on the host machine.
Ports are restricted by your host, there are different ways how to fix that depending on your operating system.
See https://superuser.com/questions/710253/allow-non-root-process-to-bind-to-port-80-and-443