You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This guide teaches how to use Rootlesskit and Docker to install a Rootless Docker and run Docker containers in Rootless mode. The setup works for Linux (Ubuntu, Debian, etc.), and Raspberry PI Docker allows you to create Rootless containers. This means, Docker Engine will create and run these containers in Rootless mode. They will run as unprivileged to the user namespaces creating them.
## Install Rootless Docker Kit and Run Rootless Container Mode
You will learn different ways to get Rootless container ready:
- Using Docker Engine
- Using Rootlesskit
Docker and Rootlesskit allow you to create these rootless containers. Rootlesskit must be installed if you want Docker to inherit Rootless mode. Actually, Docker Daemon will need root-level access on the host system. Rootlesskit will then run containers as normal users. In this guide, you will learn:
- How to use rootlesskit to install rootless Docker Daemon.
- When you need to use Docker Rootless Mode.
- The advantages and limitations of Docker Rootless containers.
- How to use the installed rootlesskit and run Docker containers on - Rootless Mode.
=- How to Expose Privileged Ports with Rootless Docker (ports below 1024).
- Use Cases for Running Rootless Docker Containers.
- How to Uninstall rootlesskit and remove Docker Rootless Mode.
### Step 1: Prerequisites to Rootlesskit and Rootless Docker
Before diving into this Docker Rootless guide:
- Ensure you have a working knowledge of Docker.
- Have Linux (Ubuntu, Debian, etc.) OS ready.
- Know how to install Docker Engine on Linux.
### Step 2: Setting Up Docker Rootless Environment
Before installing Docker as Rootless, you must first install Docker Engine itself. Follow these steps:
First, you need to ensure Docker is now available in your system.
- Ensure you have updated your package index:
```
sudo apt update && sudo apt upgrade -y
```
- Uninstall any Docker-related packages using the following command:
```
for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do sudo apt-get remove $pkg; done
```
If you don’t have Docker, expect Unable to locate package docker-engine as the Output.
- Go ahead and run the following command to create a Docker signed-by repository key and ensure needed dependencies are ready:
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
```
- Install Docker and all plugins you like like Docker Compose:
```
sudo apt update
sudo apt install docker-ce
```
- Check the Docker you have installed (Together with Docker compose)
```
sudo docker --version
docker compose version
```
- Now, make sure this Docker Engine is correctly installed by checking its running status:
```
sudo systemctl status docker
```
You must have Docker ready before proceeding to the next step. If you had challenges setting up Docker. Check [Install Docker Engine on Ubuntu](https://docs.docker.com/engine/install/ubuntu/).
### Step 3: Installing Rootless Docker using Docker (With Rootlesskit)
**docker.io** is the Official Docker Engine maintainer. Let’s see the steps you need to Get
**docker.io** to run Docker as Rootless.
#### Prerequisites
Before adding Docker as Rootless, if the system-wide Docker daemon is already running, consider disabling it:
Should you choose not to shut down the docker service and socket, you will need to use the --force parameter in the next section. There are no known issues, but until you shutdown and disable you're still running rootful Docker.
Install `dbus-user-session package` if not installed
```
sudo apt install -y dbus-user-session
```
and relogin
Ensure you have uidmap dependency ready to manage user namespace. Install `uidmap` package if not installed
```
sudo apt install -y uidmap
```
If running in a terminal where the user was not directly logged into, you will need to install `systemd-container`
`sudo apt install -y systemd-container` , then switch to TheUser with the command `sudo machinectl shell TheUser@`.
If you install `docker-ce-rootless-extras` using the deb package (`apt-get install docker-ce-rootless-extras`), then the AppArmor profile for `rootlesskit` is already bundled with the `apparmor` deb package. With this installation method, you don't need to add any manual the AppArmor configuration. If you install the rootless extras using the [installation script](https://get.docker.com/rootless?_gl=1*1m9bwlt*_ga*ODI4MDUzNTc3LjE3MTUwNzc0Mzg.*_ga_XJWPQMJYHQ*czE3NTEyNzM3MjkkbzE1MiRnMSR0MTc1MTI3ODI2NiRqNjAkbDAkaDA.), however, you must add an AppArmor profile for `rootlesskit` manually:
1. Create and install the currently logged-in user's AppArmor profile:
Go ahead and use Docker Community (docker-ce) to get Docker Rootless ready
- If you installed Docker 20.10 or later with RPM/DEB packages, you should have dockerd-rootless-setuptool.sh in /usr/bin. Run dockerd-rootless-setuptool.sh install as a non-root user to set up the daemon:
```
dockerd-rootless-setuptool.sh install
```
- If you do not have permission to run package managers like apt-get and dnf, consider using the installation script available at https://get.docker.com/rootless. Since static packages are not available for s390x, hence it is not supported for s390x.
```
curl -fsSL https://get.docker.com/rootless | sh
```
Docker should be ready in Rootless mode
- Check the following paths and copy them (These paths are visible and the end of the above curl Output)
Make sure you only copy your paths as the $user with the Linux user on your machine.
A Rootless Docker container will use these paths as a pair of environment variables to run your Rootless Docker Mode. Go ahead and open the **.bashrc** file with your editor and add your Rootless paths:
```
nano ~/.bashrc
vi ~/.bashrc
```
> If you’re using **ZSH**, use the **.zshrc** file.
Now, Add your paths and save your file.
### Step 4: How to Run A Docker Container Rootless Mode
You Rootless Docker set up ready. Make sure the Docker Daemon is really Rootless:
```
systemctl --user start docker
```
Run the following command to let your system always start your rootless Docker Engine at startup:
```
systemctl --user enable docker
```
To launch the daemon on system startup, enable the systemd service and lingering:
```
sudo loginctl enable-linger $(whoami)
```
Then check Rootless Docker status:
```
systemctl --user status docker
```
Now it’s time to run your first Rootless Mode container. I will use a simple example to make this guide short.
Consider creating an Apache web server. With Docker, you will deploy a Docker Container. With Docker as Rootless Mode, you will create containers as you would in the privileged Docker setup.
Go ahead and Use **docker run** as such:
```
docker run --name apache-container -p 8080:80 -d httpd:latest
```
Your Rootless Docker will create your container without touching root privileges. Check if the container is running:
```
docker ps
```
- Inspect container details by the container name or ID:
```
docker inspect apache-container
```
Now, you can access the running Docker container or Rootless mode using port 8080 **(http://server_ip:8080/)**:
### Step 5: How to Manage Docker Container Running on Rootless Mode
If you have worked with Docker before, any Docker command should work on this container. The only difference here is root privileges.
This means any Docker command will work while you manage your Rootless container, for example:
- Stopping and removing a container:
```
# To stop the container
docker stop apache-container
# To remove the container
docker rm apache-container
```
- List all available Docker containers:
```
docker ps -a
```
- Inspect container details by the container name or ID:
```
docker inspect apache-container
```
### Step 6: Configuring Rootless Docker container
Sometimes you need to spice up your Rootless containers. For example, a Rootless Docker Engine can’t create and Expose Privileged Ports (**any port below 1024**). This means, Docker will always Expose ports above 1024.
Let’s check some management commands:
- Run a rootless Docker inside the root Docker. Consider you have a regular Docker running on your system. You will need:
1. Runs a Docker container with the name **dind-rootless** using the **docker:<version>-dind-rootless** image.
2. Use the **--privileged** flag to give extended privileges to the container. This way, the container will run in Rootless mode and perform tasks that would otherwise be restricted.
```
docker run -d --name dind-rootless --privileged docker:20.10-dind-rootless
```
- If you want to send Ping Packet Routing to a Rootless Docker container, you will need:
1. Add configuration to allow ping packet routing within the Docker containers:
2. In this case, you will Open the **/etc/sysctl.conf** file:
```
nano /etc/sysctl.conf
```
3. Add the following line:
```
net.ipv4.ping_group_range = 0 2147483647
```
4. Apply the changed file to allow ping packet routing:
```
sudo sysctl --system
```
- Exposing Privileged Ports with Rootless Docker. You can bind to privileged ports (ports below 1024) even when running as a non-root user. However, you need to:
1. Set the **CAP_NET_BIND_SERVICE** capability on the Rootlesskit binary:
### Step 8: Use Cases for Running Rootless Docker Containers
Where is this Rootless setup helpful? Well
- Rootless Docker creates a Shared Development Environments. This way, users create containers on shared servers with no impact on shared users.
- You don’t need to host multiple users on the same server. Rootless Docker containers don’t need user privileges. This means you won’t run separate server instances for each user. That is a cost-saving approach.
- Rootless Docker Containers
- If your Host plan needs, root access, rootless Docker doesn’t need root access and you will overcome this hosting limitation.
### Step 9: The Limitations of Using Rootless Docker Container Mode
- Rootlesskit doesn’t support features like AppArmor, SCTP ports, and overlay network, just to name a few.
- You can’t use Cgroup. It’s only available if Docker is running with systemd that need root access.
- without Cgroup and systemd you won’t be able to use options such as –pids-limit, –memory, and –cpus.
- Storage Drivers like fuse-overlayfs, overlay2, and vfs get limited.
- You can run a Rootless container on privileged ports (ports below 1024).
### Conclusion
This guide taught you how to perfectly use Docker and Rootlesskit to Install Rootless Docker and run a container on Rootless mode. You have learned:
- How to use rootlesskit to install rootless Docker Daemon.
- When you need to use Docker Rootless Mode.
- The advantages and limitations of Docker Rootless containers.
- How to use the installed rootlesskit and run Docker containers on Rootless Mode.
- How to Expose Privileged Ports with Rootless Docker (ports below 1024).
- Use Cases for Running Rootless Docker Containers.
- How to Uninstall rootlesskit and remove Docker Rootless Mode.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cybergitt revised this gist