projectoperations · November 20, 2025 13:51
diff --git a/install_rootless_docker.sh b/install_rootless_docker.sh
 #!/bin/bash

 # Script to install rootless Docker for the current user

 check_command() {
  if ! command -v "$1" &> /dev/null; then
    echo "Error: $1 is required but not found. Please install it and try again." >&2
    exit 1
  fi
 }

 check_subuid_subgid() {
  local user="$1"
  if ! grep -q "^$user:" /etc/subuid; then
    echo "Error: No entry found for user '$user' in /etc/subuid." >&2
    echo "Please add an entry for your user to /etc/subuid (as root):" >&2
    echo "  echo \"$user:$(id -u):65536\" | sudo tee -a /etc/subuid" >&2
    exit 1
  fi
  if ! grep -q "^$user:" /etc/subgid; then
    echo "Error: No entry found for user '$user' in /etc/subgid." >&2
    echo "Please add an entry for your user to /etc/subgid (as root):" >&2
    echo "  echo \"$user:$(id -u):65536\" | sudo tee -a /etc/subgid" >&2
    exit 1
  fi
 }

 add_to_bashrc() {
    local file="$1"
    local line="$2"
    if ! grep -Fq "$line" "$file"; then
        echo "$line" >> "$file"
        echo "Added '$line' to $file"
    else
        echo "'$line' already exists in $file, skipping."
    fi
 }

 check_command curl
 check_command tar
 check_command newuidmap
 check_command newgidmap

 check_subuid_subgid "$USER"

 home_dir="$HOME"

 if [ ! -d "$home_dir/.docker" ]; then
  mkdir -p "$home_dir/.docker"
 fi

 mkdir -p "$home_dir/bin"

 echo "Installing rootless Docker..."
 curl -fsSL https://get.docker.com/rootless | sh

 echo "Configuring systemd..."
 if ! dockerd-rootless-setuptool.sh install; then
  echo "Error: dockerd-rootless-setuptool.sh failed.  See output above for details." >&2
  exit 1
 fi

 echo "Configuring environment variables..."
 add_to_bashrc "$home_dir/.bashrc" 'export PATH="$HOME/bin:$PATH"'
 add_to_bashrc "$home_dir/.bashrc" 'export DOCKER_HOST="unix:///run/user/$(id -u)/docker.sock"'

 # --- NVIDIA Configuration (User-Specific) ---
 # Check if the nvidia runtime is configured system-wide
 if grep -q '"nvidia"' /etc/docker/daemon.json; then
  echo "NVIDIA Container Toolkit detected (system-wide configuration)."
  # Create the user's daemon.json if it doesn't exist
  mkdir -p "$HOME/.config/docker"
  if [ ! -f "$HOME/.config/docker/daemon.json" ]; then
    touch "$HOME/.config/docker/daemon.json"
  fi

    # Add "default-runtime": "nvidia" to the user's daemon.json, handling existing content
    if ! jq -e '.["default-runtime"]' "$HOME/.config/docker/daemon.json" >/dev/null 2>&1; then
        # If "default-runtime" doesn't exist, add it
        jq '. += {"default-runtime": "nvidia"}' "$HOME/.config/docker/daemon.json" > "$HOME/.config/docker/daemon.json.tmp" && mv "$HOME/.config/docker/daemon.json.tmp" "$HOME/.config/docker/daemon.json"
    else
        # If "default-runtime" exists, check and potentially update
        current_runtime=$(jq -r '.["default-runtime"]' "$HOME/.config/docker/daemon.json")
        if [[ "$current_runtime" != "nvidia" ]]; then
            echo "Updating default runtime to nvidia in user configuration."
             jq '.["default-runtime"] = "nvidia"' "$HOME/.config/docker/daemon.json" > "$HOME/.config/docker/daemon.json.tmp" && mv "$HOME/.config/docker/daemon.json.tmp" "$HOME/.config/docker/daemon.json"
        else
            echo "User configuration already set to use nvidia runtime."
        fi
    fi

 else
  echo "NVIDIA Container Toolkit not detected or not configured system-wide. Skipping NVIDIA setup."
 fi

 cat <<EOF

 Rootless Docker installation complete.

 Please log out and log back in for the changes to take effect.

 **Optional: X11 Forwarding**


 - If you need X11 forwarding with Docker, ensure your SSH configuration
 - allows it (e.g., `ForwardX11 yes` in your SSH client config and	
 - `X11Forwarding yes` in the server's sshd_config).  You may also need to set	
 - the DISPLAY environment variable appropriately before running Docker	
 - commands that require X11.  The exact setup depends on your specific	
 - X11 configuration.

 EOF

 exit 0
diff --git a/prepare_user_for_rootless.sh b/prepare_user_for_rootless.sh
 #!/bin/bash

 # Script to prepare a user for rootless Docker (run as root)

 check_command() {
  if ! command -v "$1" &> /dev/null; then
    echo "Error: $1 is required but not found. Please install it and try again." >&2
    exit 1
  fi
 }

 if [ -z "$1" ]; then
  echo "Usage: $0 <username>" >&2
  exit 1
 fi

 username="$1"

 if ! id "$username" &> /dev/null; then
    echo "Error: User '$username' does not exist." >&2
    exit 1
 fi

 check_command apparmor_status

 if ! apparmor_status 2>&1 | grep -q "AppArmor is enabled"; then
  echo "Warning: AppArmor does not appear to be enabled.  Rootless Docker might not work correctly." >&2
 fi

 profile_content=$(cat <<EOT
 # ref: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
 abi <abi/4.0>,
 include <tunables/global>

 /home/$username/bin/rootlesskit {
  userns,
  capability setuid,
  capability setgid,
  capability chown,
  capability dac_override,
  capability fowner,
  capability fsetid,
  capability kill,
  capability net_bind_service,
  capability net_raw,
  capability setpcap,

  include if exists <local/home.$username.bin.rootlesskit>
 }
 EOT
 )

 temp_profile=$(mktemp)
 echo "$profile_content" > "$temp_profile"
 chown root:root "$temp_profile"
 chmod 644 "$temp_profile"

 if ! mv "$temp_profile" "/etc/apparmor.d/home.$username.bin.rootlesskit"; then
    echo "Error: Failed to create AppArmor profile." >&2
    rm -f "$temp_profile"
    exit 1
 fi

 systemctl restart apparmor.service

 # --- NVIDIA Configuration (System-Wide) ---
 if lspci | grep -q NVIDIA; then
    check_command nvidia-ctk
    echo "Configuring NVIDIA Container Toolkit (system-wide)..."
    nvidia-ctk runtime configure --runtime=docker
 else
    echo "NVIDIA hardware not detected. Skipping system-wide nvidia-ctk configuration."
 fi

 id -u "$username" &> /dev/null || { echo "User $username does not exist" >&2; exit 1; }
 grep -q "^$username:" /etc/subuid || { echo "$username:$(id -u "$username"):65536" | tee -a /etc/subuid; }
 grep -q "^$username:" /etc/subgid || { echo "$username:$(id -u "$username"):65536" | tee -a /etc/subgid; }

 echo "User '$username' prepared for rootless Docker."
 exit 0
	#!/bin/bash

	# Script to install rootless Docker for the current user

	check_command() {
	if ! command -v "$1" &> /dev/null; then
	echo "Error: $1 is required but not found. Please install it and try again." >&2
	exit 1
	fi
	}

	check_subuid_subgid() {
	local user="$1"
	if ! grep -q "^$user:" /etc/subuid; then
	echo "Error: No entry found for user '$user' in /etc/subuid." >&2
	echo "Please add an entry for your user to /etc/subuid (as root):" >&2
	echo " echo \"$user:$(id -u):65536\" \| sudo tee -a /etc/subuid" >&2
	exit 1
	fi
	if ! grep -q "^$user:" /etc/subgid; then
	echo "Error: No entry found for user '$user' in /etc/subgid." >&2
	echo "Please add an entry for your user to /etc/subgid (as root):" >&2
	echo " echo \"$user:$(id -u):65536\" \| sudo tee -a /etc/subgid" >&2
	exit 1
	fi
	}

	add_to_bashrc() {
	local file="$1"
	local line="$2"
	if ! grep -Fq "$line" "$file"; then
	echo "$line" >> "$file"
	echo "Added '$line' to $file"
	else
	echo "'$line' already exists in $file, skipping."
	fi
	}

	check_command curl
	check_command tar
	check_command newuidmap
	check_command newgidmap

	check_subuid_subgid "$USER"

	home_dir="$HOME"

	if [ ! -d "$home_dir/.docker" ]; then
	mkdir -p "$home_dir/.docker"
	fi

	mkdir -p "$home_dir/bin"

	echo "Installing rootless Docker..."
	curl -fsSL https://get.docker.com/rootless \| sh

	echo "Configuring systemd..."
	if ! dockerd-rootless-setuptool.sh install; then
	echo "Error: dockerd-rootless-setuptool.sh failed. See output above for details." >&2
	exit 1
	fi

	echo "Configuring environment variables..."
	add_to_bashrc "$home_dir/.bashrc" 'export PATH="$HOME/bin:$PATH"'
	add_to_bashrc "$home_dir/.bashrc" 'export DOCKER_HOST="unix:///run/user/$(id -u)/docker.sock"'

	# --- NVIDIA Configuration (User-Specific) ---
	# Check if the nvidia runtime is configured system-wide
	if grep -q '"nvidia"' /etc/docker/daemon.json; then
	echo "NVIDIA Container Toolkit detected (system-wide configuration)."
	# Create the user's daemon.json if it doesn't exist
	mkdir -p "$HOME/.config/docker"
	if [ ! -f "$HOME/.config/docker/daemon.json" ]; then
	touch "$HOME/.config/docker/daemon.json"
	fi

	# Add "default-runtime": "nvidia" to the user's daemon.json, handling existing content
	if ! jq -e '.["default-runtime"]' "$HOME/.config/docker/daemon.json" >/dev/null 2>&1; then
	# If "default-runtime" doesn't exist, add it
	jq '. += {"default-runtime": "nvidia"}' "$HOME/.config/docker/daemon.json" > "$HOME/.config/docker/daemon.json.tmp" && mv "$HOME/.config/docker/daemon.json.tmp" "$HOME/.config/docker/daemon.json"
	else
	# If "default-runtime" exists, check and potentially update
	current_runtime=$(jq -r '.["default-runtime"]' "$HOME/.config/docker/daemon.json")
	if [[ "$current_runtime" != "nvidia" ]]; then
	echo "Updating default runtime to nvidia in user configuration."
	jq '.["default-runtime"] = "nvidia"' "$HOME/.config/docker/daemon.json" > "$HOME/.config/docker/daemon.json.tmp" && mv "$HOME/.config/docker/daemon.json.tmp" "$HOME/.config/docker/daemon.json"
	else
	echo "User configuration already set to use nvidia runtime."
	fi
	fi

	else
	echo "NVIDIA Container Toolkit not detected or not configured system-wide. Skipping NVIDIA setup."
	fi

	cat <<EOF

	Rootless Docker installation complete.

	Please log out and log back in for the changes to take effect.

	Optional: X11 Forwarding


	- If you need X11 forwarding with Docker, ensure your SSH configuration
	- allows it (e.g., `ForwardX11 yes` in your SSH client config and
	- `X11Forwarding yes` in the server's sshd_config). You may also need to set
	- the DISPLAY environment variable appropriately before running Docker
	- commands that require X11. The exact setup depends on your specific
	- X11 configuration.

	EOF

	exit 0
	#!/bin/bash

	# Script to prepare a user for rootless Docker (run as root)

	check_command() {
	if ! command -v "$1" &> /dev/null; then
	echo "Error: $1 is required but not found. Please install it and try again." >&2
	exit 1
	fi
	}

	if [ -z "$1" ]; then
	echo "Usage: $0 <username>" >&2
	exit 1
	fi

	username="$1"

	if ! id "$username" &> /dev/null; then
	echo "Error: User '$username' does not exist." >&2
	exit 1
	fi

	check_command apparmor_status

	if ! apparmor_status 2>&1 \| grep -q "AppArmor is enabled"; then
	echo "Warning: AppArmor does not appear to be enabled. Rootless Docker might not work correctly." >&2
	fi

	profile_content=$(cat <<EOT
	# ref: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
	abi <abi/4.0>,
	include <tunables/global>

	/home/$username/bin/rootlesskit {
	userns,
	capability setuid,
	capability setgid,
	capability chown,
	capability dac_override,
	capability fowner,
	capability fsetid,
	capability kill,
	capability net_bind_service,
	capability net_raw,
	capability setpcap,

	include if exists <local/home.$username.bin.rootlesskit>
	}
	EOT
	)

	temp_profile=$(mktemp)
	echo "$profile_content" > "$temp_profile"
	chown root:root "$temp_profile"
	chmod 644 "$temp_profile"

	if ! mv "$temp_profile" "/etc/apparmor.d/home.$username.bin.rootlesskit"; then
	echo "Error: Failed to create AppArmor profile." >&2
	rm -f "$temp_profile"
	exit 1
	fi

	systemctl restart apparmor.service

	# --- NVIDIA Configuration (System-Wide) ---
	if lspci \| grep -q NVIDIA; then
	check_command nvidia-ctk
	echo "Configuring NVIDIA Container Toolkit (system-wide)..."
	nvidia-ctk runtime configure --runtime=docker
	else
	echo "NVIDIA hardware not detected. Skipping system-wide nvidia-ctk configuration."
	fi

	id -u "$username" &> /dev/null \|\| { echo "User $username does not exist" >&2; exit 1; }
	grep -q "^$username:" /etc/subuid \|\| { echo "$username:$(id -u "$username"):65536" \| tee -a /etc/subuid; }
	grep -q "^$username:" /etc/subgid \|\| { echo "$username:$(id -u "$username"):65536" \| tee -a /etc/subgid; }

	echo "User '$username' prepared for rootless Docker."
	exit 0