Skip to content

Set up RADAR Docker for unprivileged user

Jump to bottom
Joris Borgdorff edited this page Sep 6, 2018 · 1 revision

After some steps to set up a (virtual) machine, the RADAR-Docker stack can be installed without root privileges. This page explains what preparatory steps should be made by a super user, and how to proceed as a regular user. Please note that by using mounted volumes, this user will still get full (root) access to the disk. For more information, see Docker Daemon Attack Surface.

Preparation in super-user mode

Install Docker, Docker Compose, git, htop, java and vim

apt update
apt install \
    apt-transport-https \
    ca-certificates \
    curl \
    software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

# Verify that the key matches the fingerprint `9DC8 5822 9FC7 DD38 854A E2D8 8D81 803C 0EBF CD88` with
apt-key fingerprint 0EBFCD88

#Then add the docker repo and install Docker
add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
   $(lsb_release -cs) \
   stable"
apt update
apt install docker-ce git htop vim openjdk-9-jre-headless
curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-$(uname -s)-$(uname -m) \
   -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

Create user radar with Docker permissions

adduser --gecos '' --disabled-password --shell /bin/bash radar
adduser radar docker

Enable systemctl for radar.

loginctl enable-linger radar

edit /etc/systemd/journald.conf: set

[Journal]
Storage=persistent
SystemMaxUse=3G

and reload journaling with systemctl restart systemd-journald

Add the SSH public keys of the application administrators to /home/radar/.ssh/authorized_keys

SSH_KEY_FILE=id_rsa.pub
sudo -u radar mkdir -p /home/radar/.ssh
sudo -u radar tee -a /home/radar/.ssh/authorized_keys < "$SSH_KEY_FILE" > /dev/null

In all attached disks, create a radar directory with radar:docker owner. This will be used as the main data storage for the RADAR platform.

All ports may be firewalled, except ports 22, 80 and 443. Depending on how data should be made accessible to researchers, the output folder (path to be determined), could be exposed either on a network share or a FTP server. The actual output path can be set in .env in the RESTRUCTURE_OUTPUT_DIR variable. It defaults to output in the current stack.

Create a radar SMTP user on the network's SMTP server, and provide the details to the RADAR application administrators so they can use the email account for notifying researchers.

Installation by radar user

A RADAR admin with access to the radar user can now log in.

Add the following to ~/.bashrc.

export XDG_RUNTIME_DIR=${XDG_RUNTIME_DIR:-/run/user/$UID}
    
if [ -d "$HOME/bin" ]; then
  export PATH="$HOME/bin:$PATH"
fi
if [ -d "$HOME/radar-docker/dcompose-stack/radar-cp-hadoop-stack/bin" ]; then
  export PATH="$HOME/radar-docker/dcompose-stack/radar-cp-hadoop-stack/bin:$PATH"
fi

To install the stack, run

git clone -b dev https://github.com/RADAR-base/RADAR-Docker.git radar-docker
cd radar-docker/dcompose-stack/radar-cp-hadoop-stack
# fix configuration files until the following command succeeds
bin/radar-docker install
bin/radar-docker install-systemd
Clone this wiki locally