docker-rootful.yaml

# A template to use Docker (rootful) instead of containerd & nerdctl
# $ limactl start ./docker-rootful.yaml
# $ limactl shell docker-roootful docker run -it -v $HOME:$HOME --rm alpine

# To run `docker` on the host (assumes docker-cli is installed):
# $ export DOCKER_HOST=$(limactl list docker-rootful --format 'unix://{{.Dir}}/sock/docker.sock')
# $ docker ...

# This template requires Lima v0.23.0 or later
images:
# Try to use release-yyyyMMdd image if available. Note that release-yyyyMMdd will be removed after several months.
- location: "https://cloud-images.ubuntu.com/releases/24.04/release-20240423/ubuntu-24.04-server-cloudimg-amd64.img"
  arch: "x86_64"
  digest: "sha256:32a9d30d18803da72f5936cf2b7b9efcb4d0bb63c67933f17e3bdfd1751de3f3"
- location: "https://cloud-images.ubuntu.com/releases/24.04/release-20240423/ubuntu-24.04-server-cloudimg-arm64.img"
  arch: "aarch64"
  digest: "sha256:c841bac00925d3e6892d979798103a867931f255f28fefd9d5e07e3e22d0ef22"
# Fallback to the latest release image.
# Hint: run `limactl prune` to invalidate the cache
- location: "https://cloud-images.ubuntu.com/releases/24.04/release/ubuntu-24.04-server-cloudimg-amd64.img"
  arch: "x86_64"
- location: "https://cloud-images.ubuntu.com/releases/24.04/release/ubuntu-24.04-server-cloudimg-arm64.img"
  arch: "aarch64"

mounts:
- location: "~"
- location: "/tmp/lima"
  writable: true
# containerd is managed by Docker, not by Lima, so the values are set to false here.
containerd:
  system: false
  user: false
provision:
- mode: system
  # This script defines the host.docker.internal hostname when hostResolver is disabled.
  # It is also needed for lima 0.8.2 and earlier, which does not support hostResolver.hosts.
  # Names defined in /etc/hosts inside the VM are not resolved inside containers when
  # using the hostResolver; use hostResolver.hosts instead (requires lima 0.8.3 or later).
  script: |
    #!/bin/sh
    sed -i 's/host.lima.internal.*/host.lima.internal host.docker.internal/' /etc/hosts
- mode: system
  script: |
    #!/bin/bash
    set -eux -o pipefail
    command -v docker >/dev/null 2>&1 && exit 0
    readonly override_conf=/etc/systemd/system/docker.socket.d/override.conf
    if [ ! -e "$override_conf" ]; then
      mkdir -p $(dirname "$override_conf")
      # Alternatively we could just add the user to the "docker" group, but that requires restarting the user session
      cat <<EOF >"$override_conf"
    [Socket]
    SocketUser={{.User}}
    EOF
    fi
    export DEBIAN_FRONTEND=noninteractive
    curl -fsSL https://get.docker.com | sh
- mode: user  # configure docker under non-root user
  script: |
    #!/bin/bash
    set -eux -o pipefail
    command -v jq &>/dev/null || sudo apt-get install -y jq
    readonly rootless_installed=$(systemctl --user list-unit-files docker.service &>/dev/null && echo true || echo false)

    if [ "{{.Param.Rootful}}" = "true" ]; then
      readonly config_dir="/etc/docker"
      readonly systemctl="sudo systemctl"
      readonly tee="sudo tee"

      [ "$rootless_installed" != "true" ] || systemctl --user disable --now docker
      docker context use default

    else
      readonly config_dir="$HOME/.config/docker"
      readonly systemctl="systemctl --user"
      readonly tee="tee"

      sudo systemctl disable --now docker
      if [ "$rootless_installed" != "true" ]; then
        sudo apt-get install -y dbus-user-session fuse3 uidmap
        $systemctl start dbus
        [ ! -S /var/run/docker.sock ] || sudo rm /var/run/docker.sock
        dockerd-rootless-setuptool.sh install
      fi
      docker context use rootless
    fi
    $systemctl enable --now docker

    readonly config="$config_dir/daemon.json"
    needs_restart=
    function set_docker_daemon_json() {
      function cat_config() { test -s "$config" && cat "$config" || echo "{}" ; }
      local -r current=$(cat_config | jq -r "$1 // empty")
      [ "$current" = "$2" ] && return 0
      mkdir -p "$config_dir" && cat_config | jq "$1 = ${2:-empty}" | (sleep 0 && $tee "$config") && needs_restart=1
    }

    # enable containerd image store
    set_docker_daemon_json '.features."containerd-snapshotter"' "$(
      [ "{{.Param.ContainerdImageStore}}" = "true" ] && echo 'true'
    )"

    # restart docker to apply the new configuration
    [ -z "$needs_restart" ] || $systemctl restart docker
probes:
- script: |
    #!/bin/bash
    set -eux -o pipefail
    if ! timeout 30s bash -c "until command -v docker >/dev/null 2>&1; do sleep 3; done"; then
      echo >&2 "docker is not installed yet"
      exit 1
    fi
    if [ "{{.Param.Rootful}}" = "true" ]; then
      target=dockerd
      target_description="dockerd"
    else
      target=rootlesskit
      target_description="rootlesskit (used by rootless docker)"
    fi
    if ! timeout 30s bash -c "until pgrep $target; do sleep 3; done"; then
      echo >&2 "$target_description is not running"
      exit 1
    fi
  hint: See "/var/log/cloud-init-output.log" in the guest
hostResolver:
  # hostResolver.hosts requires lima 0.8.3 or later. Names defined here will also
  # resolve inside containers, and not just inside the VM itself.
  hosts:
    host.docker.internal: host.lima.internal
portForwards:
- guestSocket: "{{if eq .Param.Rootful \"true\"}}/var/run{{else}}/run/user/{{.UID}}{{end}}/docker.sock"
  hostSocket: "{{.Dir}}/sock/docker.sock"
message: |
  To run `docker` on the host (assumes docker-cli is installed), run the following commands:
  ------
  docker context create lima-{{.Name}} --docker "host=unix://{{.Dir}}/sock/docker.sock"
  docker context use lima-{{.Name}}
  docker run hello-world
  ------
param:
  ContainerdImageStore: false
  Rootful: true