Running Rootless Docker Containers
Have you ever found yourself in a situation where you want to use Docker but don’t have root access? Or perhaps you wish to provide Docker access to your team or clients but aren’t comfortable giving them root privileges.
There’s a solution to this problem called rootless Docker. Read on to learn what it’s all about and how to set it up.
What Is Rootless Docker
To install Docker, you usually need to have root access to the host system. This may create a security risk because both the Docker container and the daemon service will operate as root.
In a rootless Docker installation, however, only the Docker daemon needs to run as root. Meanwhile, Docker containers can operate as regular Linux users.
But what difference does it make? When a service operating in a container is compromised, the attacker can also gain access to the system files. That’s because containers are not truly isolated.
The open-source Podman project was the first solution to run containers without root access. In turn, Docker was put under pressure to add similar functionality and enable other users to manage Docker containers.
This rootless installation is now available directly from Docker, so you don’t need to utilize Podman.
How Rootless Docker Works
Many Docker features require you to provide root-level access. Rootless mode circumvents this limitation by utilizing something known as user namespaces.
User namespaces can map user IDs so that the inner namespace root user maps to an unprivileged range in the parent namespace. Since user namespaces have existed for quite a while now, this feature has been available in Docker for a while.
The rootless mode operates similarly, except that it first creates a user namespace and then starts the daemon in the remapped namespace. The daemon and containers will use a different user namespace than the host.
Rootless Docker Prerequisites
There’s just one prerequisite that you need to satisfy before installing a rootless Docker. It’s called uidmap, and you can use it to remap Linux users.
Next up, we will show you how to install it.
Configuring the System Prior to Installation
Install the only dependency that is required with the following command (root access is required for this step).
apt-get install uidmap -yHow to Install Rootless Docker
Now that the system is ready, we can proceed with the installation of the rootless Docker. It’s easy. Just follow the five steps we outlined below.
1. Download the rootless Docker installation.
curl -sSL https://get.docker.com/rootless | sh2. Open the .bashrc file with your favorite text editor.
vi ~/.bashrc3. Add the following two environmental variables.
export PATH=/home/$user/bin:$PATH
export DOCKER_HOST=unix:///run/user/$id/docker.sock4. Replace $user with the Linux username and $id with that user’s ID code.
idNote: If you don’t know the ID, you can retrieve it using the following command.
5. Initiate the rootless Docker daemon.
systemctl --$user start dockerNote: make sure to replace $user with the proper Linux user.
How to Configure Rootless Docker
Here are some good practices to consider when using rootless Docker.
1. Rootless Docker in Regular Docker
In order to use rootless Docker inside regular Docker, use docker:<version>-dind-rootless (not docker:<version>-dind).
docker run -d --name dind-rootless --privileged docker:20.10-dind-rootless2. Ping Packet Routing
To make ping work, open /etc/sysctl.conf and add the code below.
net.ipv4.ping_group_range = 0 2147483647To use ping, run the following command.
sudo sysctl --system3. Expose Privileged Ports
In order to expose privileged ports, set CAP_NET_BIND_SERVICE on the rootlesskit binary, followed by a restart. See the two commands below.
sudo setcap cap_net_bind_service=ep $(which rootlesskit)systemctl --user restart dockerUse Cases for Rootless Docker Containers
Now that you’ve installed and configured rootless Docker, you might wonder what it’s use cases are. That’s exactly what we will explore below.
Software development teams often share the same server environments, and their understanding of Linux and devops practices can vary. Thanks to rootless Docker, employees can install a separate Docker for their Linux users without impacting other employees using the same server.
Providing a Service
Perhaps you’re offering a service that requires your clients to use Docker. Instead of running a separate server instance for each user, why not cut costs by hosting multiple users on the same server with rootless Docker?
Limited Hosting
Another good use case for rootless Docker is when your hosting company or hosting plan doesn’t come with root access. Just ask the support team to install the uidmap package, and you will be able to set up rootless Docker by yourself.
Limitations of Rootless Docker
While rootless Docker is a great solution with many use cases, there are some limits you should be aware of.
Limited Support of Storage Drivers
Rootless Docker only supports the following storage drivers: overlay2, fuse-overlayfs, btrfs, vfs.
Limited Features
The following Docker features are not supported: AppArmor, Checkpoint, overlay network, exposing SCTP ports.
Cgroup Limits
Cgroup is only supported when you run it with systemd and cgroup 2.
Testing Rootless Docker
After everything is set up, it’s time to test the rootless Cocker. To do this, just follow the four steps outlined below.
1. Check if Docker was properly installed.
docker run hello-world2. If you get the following message, all is well.
“Hello from Docker! This message shows that your installation appears to be working correctly.”
3. Test if Docker works in rootless mode by attempting to run a container.
docker run -it ubuntu bash4. Verify that the process is running.
ps auxNow you know what rootless Docker is and how it works. If you’ve found a relevant use case for it after reading our article, you can use our step-by-step guide to install it. Finally, don’t forget to test it out to ensure it works.
Published version: confidential / ghostwriting NDA