Rootless mode was introduced in Docker Engine v19.03 as an experimental feature for the first time. Rootless mode graduated from experimental in Docker Engine v20.10.
Rootless mode allows running the Docker daemon and containers as a non-root user to mitigate potential vulnerabilities in the daemon and the container runtime. The rootless mode does not require root privileges even during the installation of the Docker daemon, as long as the prerequisites are met.
How it works
Rootless mode executes the Docker daemon and containers inside a user namespace. This is very similar to
[userns-remap](https://docs.docker.com/engine/security/userns-remap/) mode, except that with
userns-remap mode, the daemon itself is running with root privileges, whereas in rootless mode, both the daemon and the container are running without root privileges.
Rootless mode does not use binaries with
SETUID bits or file capabilities, except
newgidmap, which are needed to allow multiple UIDs/GIDs to be used in the user namespace.
- Google Cloud Platform
- Ubuntu 20.04 LTS
sudo curl -sSL https://get.docker.com/ | sh
If you installed Docker 20.10 or later with RPM/DEB packages, you should have
dockerd-rootless-setuptool.sh install as a non-root user to set up the daemon:
dockerd-rootless-setuptool.sh install [INFO] Creating /home/docker_captain_india/.config/systemd/user/docker.service [INFO] starting systemd service docker.service + systemctl --user start docker.service + sleep 3 + systemctl --user --no-pager --full status docker.service ● docker.service - Docker Application Container Engine (Rootless) Loaded: loaded (/home/docker_captain_india/.config/systemd/user/docker.service; disabled; vendor preset: enabled) Active: active (running) since Sat 2021-04-17 07:17:32 UTC; 3s ago Docs: https://docs.docker.com/go/rootless/ Main PID: 4360 (rootlesskit)
If dockerd-rootless-setuptool.sh is not present, you may need to install the docker-ce-rootless-extras package manually, e.g.,
sudo apt-get install -y docker-ce-rootless-extras Reading package lists... Done Building dependency tree Reading state information... Done docker-ce-rootless-extras is already the newest version (5:20.10.6~3-0~ubuntu-focal). The following package was automatically installed and is no longer required: libnuma1 Use 'sudo apt autoremove' to remove it. 0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
The systemd unit file is installed as
systemctl --user to manage the lifecycle of the daemon:
$ systemctl --user start docker $ systemctl --user enable docker
If you try to run Nginx container, you still might not be able to run it as normal user.
docker_captain_india@minecraft:~$ docker run -d -p 8080:80 nginx docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/create: dial unix /var/run/docker.sock: connect: permission denied. See 'docker run --help'.
You need to specify either the socket path or the CLI context explicitly.
To specify the socket path using $DOCKER_HOST:
Now you can successfully Nginx container without sudo or root user:
docker run -d -p 8080:80 nginx Unable to find image 'nginx:latest' locally latest: Pulling from library/nginx f7ec5a41d630: Pull complete aa1efa14b3bf: Pull complete b78b95af9b17: Pull complete c7d6bca2b8dc: Pull complete cf16cd8e71e0: Pull complete 0241c68333ef: Pull complete Digest: sha256:75a55d33ecc73c2a242450a9f1cc858499d468f077ea942867e662c247b5e412 Status: Downloaded newer image for nginx:latest 795702f7965de6141ade74add2ed3c7d3881ae79b15924d5e5a55154ad2a6732
To specify the CLI context using docker context:
docker context use rootless rootless Current context is now "rootless" Warning: DOCKER_HOST environment variable overrides the active context. To use "rootless", either set the global --context flag, or unset DOCKER_HOST environment variable.
Let us run Minecraft in rootless mode:
docker run -d -p 25565:25565 -e EULA=true -e ONLINE_MODE=false -e DIFFICULTY=hard -e OPS=collabnix -e MAX_PLAYERS=50 -e MOTD="welcome to Raina World" -v /tmp/minecraft_data:/data --name mc itzg/minecraft-server
Did you find this article valuable?
Support Collabnix by becoming a sponsor. Any amount is appreciated!