Docker Rootless Support
Run the Docker daemon as a non-root user (Rootless mode)
The Rootless mode allows you to run the Docker daemon and containers as a non-root user. This mitigates the potential vulnerabilities in the daemon and the container runtime.
As long as the prerequisites are met, rootless mode does not require root privileges even during the installation of the Docker daemon.
After its introduction in Docker Engine v19.03 as an experimental feature, the rootless mode was available in Docker Engine v20.10 as a more stable feature.
This feature is available in Photon OS 4.0 and above versions starting from the docker-20.10.14-1 version (in Ph4).
You must install
newgidmapon the host. - Provided by the
shadowpackage in Photon
/etc/subgidshould contain at least 65,536 subordinate UIDs/GIDs for the user. In the following example, the user called
testuserhas 65,536 subordinate UIDs/GIDs (100000-165535).
You can install the pre-required packages using the following command:
tdnf install -y shadow fuse slirp4netns libslirp
Photon 3 or above with docker-20.10.14-1 version (this version is specific to Ph4. For higher versions please refer spec file in the Photon source).
You can perform the following tasks with the respective commands for them:
Install docker-rootless using the following command:
tdnf install -y docker-rootless
Use the following command to add a new user:
useradd -m test_user
Use the following command to set a password for the new user:
Use the following command to log in as the user you created:
Run the following command:
The above command shows something like the following output:
test_user@photon [ ~ ]$ dockerd-rootless-setuptool.sh --help Usage: /usr/bin/dockerd-rootless-setuptool.sh [OPTIONS] COMMAND A setup tool for Rootless Docker (dockerd-rootless.sh). Documentation: https://docs.docker.com/go/rootless/ Options: -f, --force Ignore rootful Docker (/var/run/docker.sock) --skip-iptables Ignore missing iptables Commands: check Check prerequisites install Install systemd unit (if systemd is available) and show how to manage the service uninstall Uninstall systemd unit
Run the following command, and then check and fix the errors and warnings, if any:
Run the following commands:
echo "test_user:100000:65536" >> /etc/subuid
echo "test_user:100000:65536" >> /etc/subgid
echo "kernel.unprivileged_userns_clone = 1" >> /etc/sysctl.d/50-rootless.conf
chmod 644 /etc/subuid /etc/subgid /etc/sysctl.d/50-rootless.conf
After you run the above commands, the
dockerd-rootless-setuptool.sh checkshows the following output:
test_user@photon [ ~ ]$ dockerd-rootless-setuptool.sh check [INFO] Requirements are satisfied
Requirements are satisfiedmessage appears, run the following command:
Carefully, go through the output messages of the above command and ensure that everything is fine. Follow the instructions that appear, if any.
Add the following to your
export PATH=/usr/bin:$PATH export DOCKER_HOST=unix:///run/user/$(id -u)/docker.sock
Now, you can run
docker run -it photon as a regular user.
Exposing Network Ports
Be aware that port numbers below 1024 are called privileged ports and are not available for rootless users. So, you need to use the unprivileged ports such as 8080, and so on. If you want to run an HTTP server, you need to run
docker run -p 8080:80. However, if you really need to expose privileged ports, you can do that by adjusting
sysctl /proc/sys/net/ipv4/ip_unprivileged_port_start or by setting
CAP_NET_BIND SERVICE capability on the binary rootlesskit.
Limiting Resources such as CPU, Memory
Limiting resources with cgroup-related
docker run flags such as
--pids-limit is supported only while running with cgroup v2 and systemd.
docker info shows
Cgroup Driver, the conditions are not satisfied. When these conditions are not satisfied, rootless mode ignores the cgroup-related
docker run flags.