How to do a Rootless Docker Installation (on Ubuntu and Debian)
Learn how to install Docker in rootless mode so that the daemon runs as root while containers run as normal user.
What is rootless Docker?
Normally, when you install Docker, it needs full permissions (root) on the host system. This creates a potential security problem because both containers and the (daemon) Docker service will work as root. In the rootless installation of Docker, only the Docker daemon runs as root while the containers run as normal users.
Why does it matter? Because if the service running in a container is compromised, the attacker may access the system files as well. There is no real isolation of the containers.
The open source Podman project was created to primarily run containers without root. This put pressure on Docker to support a similar feature so that containers run as normal users but the Docker service (daemon) works as root.
This rootless installation is now available from Docker itself and you don't need to use Podman just for this feature.
In this article, I will explain how to install Docker without root access. But before I show you those steps, let's first discuss the disadvantage of this mode.
Disadvantage of running Docker in rootless mode
The biggest downside to this mode is the network, and these problems are also present in Podman.
By default, Docker uses a rootless network.
Because it is the fastest, with a speed of up to 30 Gbps and supports IPv4 and IPv6.
But it has issues.
Containers will not have the external IP of the request, and all requests will appear from 127.0.0.1.
This is a big problem, especially if, you want to put in protection that limits distributed denial-of-service (DDOS) attacks because all requests will seem to originate from the same address.
Using Slirp4netns mode solves this problem, and shows the original address of the request. But it also has two problems.
- IPv6 not supported.
- The speed is much slower (about 7Gbps).
The rootless mode does not use the sticky bits. They need newuidmap and newgidmap.
This is why you should ensure that the newuidmap and newgidmap packages are installed (through uidmap package) and that there are 65,536 child ids.
newuidmap verifies that the caller is the owner of the process indicated by pid.
id -u 1001
Next, check that the user has 65,536 sub UIDs:
grep ^$(whoami): /etc/subuid testuser:231072:65536
grep ^$(whoami): /etc/subgid testuser:231072:65536
What do these numbers mean? The first number is the first id allowed to use and the next one tells how many id do you have. For example, it starts with 231072, id 0 means 231072 and id 1000 means 241072.
Install the dbus-user-session and fuse-overlayfs packages.
For Debian, use the command to install dbus-user-session:
sudo apt install -y dbus-user-session
And then install fuse-overlayfs:
sudo apt install -y fuse-overlayfs
It is recommended to use Kernel 5.11 or later.
Installing docker in rootless mode
Now you come to the main part. The first part is the normal Docker installation and then go with the rootless part.
I'll show the steps for Ubuntu.
Install the usual Docker packages
Uninstall any existing Docker package first:
sudo apt remove docker docker-engine docker.io containerd runc
And then install Docker on Ubuntu:
sudo apt update sudo apt install docker-ce docker-ce-cli containerd.io
Verify that Docker Engine is installed correctly by running the hello-world image.
sudo docker run hello-world
Considering that the Docker daemon is already running, disable it first.
sudo systemctl disable --now docker.service docker.socket
Install the rootless package
Now install the docker-ce-rootless-extras package by downloading the official script using curl command:
curl -fsSL https://get.docker.com/rootless | sh
Follow the on-screen suggestions and you'll have the rootless Docker installed.
At the end of this installation screen, there will be two things written: export=xxx
Copy and paste them into the last .bashrc file or if you are using ZSH, the .zshrc file. Source the rc files you just changed.
Once the installation completes, run daemon docker rootless:
systemctl --user start docker
Run rootless docker automatically at each startup:
systemctl --user enable docker sudo loginctl enable-linger $(whoami)
Author Info: Mead Naji is a web developer and old-school Linux developer.