I am trying to install rootless Docker inside a Docker image for a self-hosted GitHub Actions Runner.
Here is what I have so far:
# https://releases.ubuntu.com/jammyFROM ubuntu:22.04# "Frontend" never interacts and makes the default answers be used for all questions# https://manpages.ubuntu.com/manpages/xenial/man7/debconf.7.htmlENV DEBIAN_FRONTEND=noninteractive# https://manpages.ubuntu.com/manpages/xenial/man8/apt-get.8.html# Re-synchronize the package index files from their sourcesRUN apt-get update --assume-yes \ # Install the newest versions of all packages currently installed on the system from the sources&& apt-get upgrade --assume-yes# Install required and dependent packages (ignoring recommends and suggests)# https://askubuntu.com/a/1216894RUN apt-get install --assume-yes --no-install-recommends \ # Required to download and parse GitHub actions/runner ca-certificates curl jq# Add a non-sudo user named "github"# https://manpages.ubuntu.com/manpages/xenial/en/man8/useradd.8.htmlRUN useradd --create-home github# Set working directory for GitHub actions/runnerWORKDIR /home/github/actions-runner# GitHub actions/runner version# https://github.com/actions/runner/releasesARG RUNNER_VERSION="2.315.0"# Download GitHub actions/runner# https://curl.se/docs/manpage.htmlRUN curl --remote-name --location https://github.com/actions/runner/releases/download/v${RUNNER_VERSION}/actions-runner-linux-x64-${RUNNER_VERSION}.tar.gz \ # Decompress .gz then extract .tar from .tar.gz file # https://manpages.ubuntu.com/manpages/xenial/man1/tar.1.html&& tar --ungzip --extract --file ./actions-runner-linux-x64-${RUNNER_VERSION}.tar.gz \&& rm ./actions-runner-linux-x64-${RUNNER_VERSION}.tar.gz \ # Set "github" user as owner to github home directory # https://manpages.ubuntu.com/manpages/xenial/man1/chown.1.html&& chown --recursive github ~github \ # Install GitHub actions/runner dependencies&& ./bin/installdependencies.sh# Copy start.sh scriptCOPY start.sh start.sh# https://askubuntu.com/a/803166RUN sed --in-place "s/\r$//" start.sh \ # Add execute permissions to start.sh script # https://manpages.ubuntu.com/manpages/trusty/man1/chmod.1.html&& chmod +x start.sh# Run entrypoint as "github" userUSER github# Run start.sh script when container executesENTRYPOINT ["./start.sh"]This works. Note that ca-certificates is installed and it works because the usage of curl is successful.
However, when I modify this to include rootless Docker it fails with the title error:
# https://releases.ubuntu.com/jammyFROM ubuntu:22.04# "Frontend" never interacts and makes the default answers be used for all questions# https://manpages.ubuntu.com/manpages/xenial/man7/debconf.7.htmlENV DEBIAN_FRONTEND=noninteractive# https://manpages.ubuntu.com/manpages/xenial/man8/apt-get.8.html# Re-synchronize the package index files from their sourcesRUN apt-get update --assume-yes \ # Install the newest versions of all packages currently installed on the system from the sources&& apt-get upgrade --assume-yes \ # Install required and dependent packages (ignoring recommends and suggests) # https://askubuntu.com/a/1216894&& apt-get install --assume-yes --no-install-recommends \ # Required to download and parse GitHub actions/runner ca-certificates curl jq \ # Required for rootless Docker uidmap dbus-user-session# https://docs.docker.com/engine/install/ubuntuRUN install -m 0755 -d /etc/apt/keyrings \&& curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc \&& chmod a+r /etc/apt/keyrings/docker.asc \&& echo \"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ tee /etc/apt/sources.list.d/docker.list > /dev/null \&& apt-get update --assume-yes \&& apt-get install --assume-yes --no-install-recommends \ docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin docker-ce-rootless-extras...Here is the full error:
0.457 curl: (60) SSL certificate problem: unable to get local issuer certificate0.457 More details here: https://curl.se/docs/sslcerts.html0.4570.457 curl failed to verify the legitimacy of the server and therefore could not0.457 establish a secure connection to it. To learn more about this situation and0.457 how to fix it, please visit the web page mentioned above.The webpage it links to is not really useful and I am not running through a proxy. Other solutions say to install ca-certifcates, which I have already done. I have attempted to install Cisco Umbrella Root CA (the certificate I find for https://download.docker.com, but it made no difference (I may have set it up incorrectly though). I do not want to use -k or really any other "solution" that just simply skips the security check.
Any suggestions? If the solution is to install the Cisco Umbrella Root CA how exactly do I do that properly? If that isn't a solution, what other options do I have?