I’m using the following profile for running Docker, it’s working well unprivileged for most cases (I never tried running K8S/Rancher inside, I think it will be a bit wonky in unprivileged mode).
name: docker
description: "Profile to configure instances for running Docker"
config:
security.nesting: true
security.syscalls.intercept.setxattr: true
security.syscalls.intercept.mknod: true
cloud-init.user-data: |
#cloud-config
write_files:
- path: /etc/systemd/system/docker.service.d/10-listen-socket.conf
owner: 'root:root'
permissions: '0644'
defer: true
content: |
# Generated by cloud-init
#
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H unix:///run/docker.sock --containerd=/run/containerd/containerd.sock
- path: /etc/docker/daemon.json
owner: 'root:root'
permissions: '0644'
defer: true
content: |
{
"iptables": true,
"live-restore": true,
"userland-proxy": false,
"features": {
"buildkit": true
},
"log-driver": "journald"
}
apt:
sources:
docker-ce:
source: 'deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker-ce.gpg] https://download.docker.com/linux/ubuntu jammy stable'
key: <GPG KEY>
package_update: true
packages:
- docker-ce
- docker-ce-cli
- docker-compose-plugin
- docker-buildx-plugin
- containerd.io
runcmd:
- systemctl daemon-reload
- systemctl disable --now docker.socket
- systemctl enable --now docker.service
NOTE: I also use ZFS in block mode with overlay2 driver, it works fine 