Rootless Docker on Arch

Currently, using a rootless Docker on Arch can reasonable be divided into two approaches: stability and performance. With the stability, the choice is a LTS kernel and a fuse-overlayfs storage driver, while under performance a latest stable kernel is used alongside the latest widely adopted overlay2 storage driver. Lets see how to set-up both options.

Stability with LTS kernel and FUSE

Some distributions, namely Contabo, offer quite a nice Arch image for a VPS. It comes with the linux-lts, which is a sensible choice for a server setup. At the time of writing the latest LTS kernel version was 5.10, however the support for a overlay2 landed in a 5.11, meaning no support for this storage driver with an official LTS kernel. This leaves us with a more time-proven, but possibly less performant fuse-overlayfs storage driver.

yay -S fuse-overlayfs docker-rootless-extras-bin

The above will also pull rootlesskit or rootlesskit-bin into your system. Now the only thing needed is to follow the Arch wiki, in short:

echo "$USER:165536:65536" | sudo tee /etc/subgid /etc/subgid
systemctl --user enable --now docker.socket
echo "export DOCKER_HOST=unix://\$XDG_RUNTIME_DIR/docker.sock" >> .profile

Confirm with docker info and look for a Storage driver.

Performance with stable kernel and overlay2

This is the variation of the above. First we need to switch the latest stable linux kernel, at the time of writing a 5.15 branch, for instance like this:

sudo pacman -S linux
sudo pacman -Rnc linux-lts
sudo mkinitcpio -p linux
sudo grub-mkconfig -o /boot/grub/grub.cfg

For the rest, follow the above, only omitting the installation of fuse-overlayfs. Note that it won't hurt to install it however, as with a given stable kernel, Docker rootless will choose overlay2 automatically.

Overriding the choice

Docker chooses the best available driver, but the choice can be overridden by editing ~/.config/docker/daemon.json with the following:

{
  "storage-driver": "overlay2"
}

The above requires at least kernel 5.11 for a rootless Docker to work, as was already stated. Or, alternatively, with a stable kernel and a fuse-overlayfs package present, the FUSE storage driver can be forced with:

{
  "storage-driver": "fuse-overlayfs"
}

Now rerun the services:

systemctl --user stop docker.service
systemctl --user stop docker.socket
systemctl --user enable docker.socket --now
docker info

Note: Although guides prefer to mention a socket for a docker Rootless, consider enabling docker.service instead of docker.socket for critical services that should run all the time.

However, on my machine this led to an error similar to this onehttps://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file:

Error starting daemon: error initializing graphdriver: "/home/peterbabic/.local/share/docker" contains other graph drivers:
fuse-overlayfs; Please cleanup or explicitly choose storage driver (-s <DRIVER>)

The error can be found in the journal under the following:

journalctl --user -xeu docker.service

Warning: the next step might lead to a loss of data! Please proceed with caution and with a proper backups.

In case you are just setting things up, the safest way is just to remove all the Docker rootless data:

rm -rf ~/.local/share/docker

Now rerun the service, described in the previous step. The chosen driver should be used.

Links

• http://kroah.com/log/blog/2018/08/24/what-stable-kernel-should-i-use/
• https://bugs.archlinux.org/task/36969
• https://docs.docker.com/engine/security/rootless/
• https://docs.docker.com/storage/storagedriver/
• https://haydenjames.io/quick-tips-stable-arch-linux-experience/
• https://issueexplorer.com/issue/rootless-containers/rootlesskit/269
• https://vadosware.io/post/back-to-docker-after-issues-with-podman/
• https://wiki.archlinux.org/title/Docker#Docker_rootless