Why Rootless Docker?
Rootless Docker is a way of running Docker containers without requiring root access. This means that you can use Docker without needing administrator privileges on your system, which can be a significant security and compliance benefit. Here are some reasons why you might consider using rootless Docker:
- Improved Security: By running Docker as a regular user instead of as root, you reduce the risk of security vulnerabilities that could compromise your system. With rootless Docker, even if a container is compromised, it cannot affect the underlying host system.
- Compliance: In many organizations, running Docker as root is a violation of security and compliance policies. Using rootless Docker enables you to comply with these policies without sacrificing the benefits of containerization.
- Simplicity: Rootless Docker simplifies the process of managing containers by eliminating the need for complex setup and configuration. It also makes it easier to integrate Docker into your existing workflow, as it can be run without needing administrator privileges.
- Portability: Rootless Docker allows you to run containers on any system without needing root access. This makes it easier to move containers between different environments, such as development, staging, and production.
Overall, using rootless Docker can improve the security, compliance, simplicity, and portability of your containerized applications, while reducing the need for privileged access to your systems.
Update Your Ubuntu System
Before installing any new software, it is always recommended to update your system. so…
sudo apt-get update && sudo apt-get upgrade
This will update your system’s package list and install any available updates.
Docker Rootless has some dependencies that need to be installed first. Run the following command to install the dependencies.
sudo apt-get install -y uidmap slirp4netns
Install docker rootless
The next step is to install Docker Rootless itself.
- This MUST be run as the non-root user you wish to use docker as. ssh to that user or login as that user for this. Don’t su to that user.
you will see output like this :
[INFO] Creating /home/testuser/.config/systemd/user/docker.service ... [INFO] Installed docker.service successfully. [INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service` [INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger testuser` [INFO] Make sure the following environment variables are set (or add them to ~/.bashrc): export PATH=/usr/bin:$PATH export DOCKER_HOST=unix:///run/user/1000/docker.sock
you need to take the export lines at the end (there may be a text line between them, ignore it.) and put them at the bottom of your ~/.bashrc or ~/.zshrc depending on if you use bash or zsh.
If you get an error when installing via the above line run this:
sudo apt-get install -y docker-ce-rootless-extras
Source the bash or zsh rc file to apply the changes:
Test if docker is installed properly
Check that docker is installed and running
systemctl --user status docker
this should get you an output such as this :
$ systemctl --user status docker ● docker.service - Docker Application Container Engine (Rootless) Loaded: loaded (/home/user/.config/systemd/user/docker.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2023-02-10 08:04:45 EST; 1 weeks 0 days ago Docs: https://docs.docker.com/go/rootless/ Main PID: 1886108 (rootlesskit) CGroup: /email@example.com/docker.service ├─1886108 rootlesskit --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh ├─1886118 /proc/self/exe --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh ├─1886133 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp 1886118 tap0 ├─1886140 dockerd ├─1886161 containerd --config /run/user/1001/docker/containerd/containerd.toml --log-level info Feb 10 10:19:23 example.com dockerd-rootless.sh: time="2023-02-10T10:19:23.429091649-05:00" level=info msg="loading plugin \"io.containerd.event.v1.publisher\"..." runtime=io.containerd.runc.v2 type=io.containerd.event.v1
there may be some different output but this looks good generally.
To verify that Docker is installed and working correctly run a test docker to make sure you can pull images and run them. this command will run a sample docker container called hello-world and will remove it on exit. exit it via ctrl + c
docker run --rm hello-world
If everything is working correctly, you should see the message “Hello from Docker!” in your terminal.
Ports below 1024?
Since this is rootless you can only use ports above 1024 for your containers unless you specifically allow them. run these commands to allow
sudo setcap cap_net_bind_service=ep $(which rootlesskit) systemctl --user restart docker
Make sure docker runs on reboot!
My docker rootless isn’t starting on a reboot! : run this :
systemctl --user enable docker sudo loginctl enable-linger $(whoami)
Et Voila! it’s all done! you should be good to go! let me know if this guide works for you 🙂