25th Anniversary Savings | 25% Off Dedicated Servers*Shop Now
25th Anniversary Savings | 25% Off VPS Hosting* †††Shop Now
Limited Inventory: High-Performance AMD-Powered Servers Now Available.* Shop Now >
Dedicated Hosting Deals | From $99/moShop Now

How to Run Rootless Docker Containers

Posted on by Joseph Molloy | Updated:
Reading Time: 4 minutes

Ever found yourself in a situation where you want to use Docker but don’t have root access? Or perhaps you wish to provide Docker access to your team or clients but aren’t comfortable giving them root privileges.

The solution to this problem is rootless Docker containers. Read on to learn what it’s all about and how to set it up for yourself.

What Is Rootless Docker?

Rootless Docker installations require only the Docker daemon to run as root, while Docker containers operate as regular Linux users. Docker usually requires root access on the host system, creating a security risk since both the Docker container and the daemon service will operate as root. This means a compromised service operating in a container provides the attacker access to the system files because containers are not truly isolated.

The open source Podman project was the first solution to run containers without root access. Feeling the pressure, Docker added similar functionality, enabling other users to manage Docker containers in a rootless environment. In addition, the rootless installation is available directly from Docker, eliminating the need to utilize Podman.

How Rootless Docker Works

Many Docker features require you to provide root-level access. Rootless mode circumvents this limitation by utilizing something known as user namespaces.

User namespaces can map user IDs so that the inner namespace root user maps to an unprivileged range in the parent namespace. Since user namespaces have existed for quite a while, this feature has been available in Docker for some time.

The rootless mode operates similarly, except it first creates a user namespace and then starts the daemon in the remapped namespace. The daemon and containers use a different user namespace than the host.

Prerequisites

  • A Linux server with root-level access.
  • Install uidmap to remap Linux users.

Configuring the System With uidmap Before Docker Installation

Install uidmap with the following command.

apt-get install uidmap -y

How to Install Rootless Docker

Now that the system is ready, we can proceed with installing rootless Docker. It’s easy using the steps outlined below.

Step 1:

First, download the rootless Docker installation from their website with the following command.

curl -sSL https://get.docker.com/rootless | sh
Note:
Piping curl directly to bash is not a best practice and should only be done with trusted sources.

Step 2:

Once the installation completes, open the .bashrc file with your favorite text editor, as shown below.

vi ~/.bashrc

Step 3:

Add the following two environmental variables to the file.

export PATH=/home/$user/bin:$PATH
export DOCKER_HOST=unix:///run/user/$id/docker.sock

Replace $user with the Linux user you want to install Docker for and replace $id with that user’s ID code. If you don’t know the ID, you can retrieve it using the following command.

id

Step 4:

Save the changes you made to the file by pressing the Esc key to enter Command mode, and then type :wq to write and quit the file.

Step 5:

Initiate the rootless Docker daemon with the following command, but make sure to replace $user with the proper Linux user.

systemctl --$user start docker

How to Configure Rootless Docker

Here are some good practices to consider when using rootless Docker.

Step 1:Rootless Docker in Regular Docker

To use rootless Docker inside root Docker, use docker:<version>-dind-rootless (not merely docker:<version>-dind). See the command below for reference.

 docker run -d --name dind-rootless --privileged docker:20.10-dind-rootless

Step 2: Ping Packet Routing

To make ping work, open /etc/sysctl.conf and add the code below.

net.ipv4.ping_group_range = 0 2147483647

To use ping, run the following command.

sudo sysctl --system

Step 3: Expose Privileged Ports

To expose privileged ports, set CAP_NET_BIND_SERVICE on the rootlesskit binary, followed by a restart. See the two commands below.

sudo setcap cap_net_bind_service=ep $(which rootlesskit)
systemctl --user restart docker

Use Cases for Running Rootless Docker Containers

Now that you’ve installed and configured rootless Docker, you might wonder what its use cases are.

Shared Development Environments

Software development teams often share the same server environments, and their understanding of Linux and DevOps practices can vary. Thanks to rootless Docker containers, businesses can install a separate container for their Linux users without impacting other employees using the same server.

Cost-Saving Measures

Perhaps you’re offering a service that requires your clients to use Docker. Instead of running a separate server instance for each user, you can cut costs by hosting multiple users on the same server with rootless Docker containers.

Overcome Hosting Limitations

Another good use case for rootless Docker is when your hosting company or hosting plan doesn’t have root access. Provided the support team can install the uidmap package, you can potentially set up rootless Docker yourself.

Limitations of Rootless Docker

While rootless Docker containers are a great solution with many use cases, there are some limits of which you should be aware.

Limited Support of Storage Drivers

Rootless Docker only supports the following storage drivers:

  • overlay2
  • fuse-overlayfs
  • btrfs
  • vfs

Limited Features

The following Docker features are not supported:

  • AppArmor
  • Checkpoint
  • overlay network
  • exposing SCTP ports

Cgroup Limits

Cgroup is only supported when you run it with systemd and cgroup 2.

Testing Rootless Docker

After completing the setup, test the rootless Docker container. To do this, follow the steps outlined below.

Step 1:

To check the proper installation of Docker, issue the following command.

docker run hello-world

If you get the following message, all is well.

Hello from Docker! This message shows that your installation appears to be working correctly.

Step 2:

Now, it’s time to test if Docker works in rootless mode by attempting to run a container with the following command.

docker run -it ubuntu bash

Step 3:

Finally, run the following command to verify that the process is running correctly.

ps aux

Final Thoughts

This guide helps you know what rootless Docker is and how it works. Installing and running rootless Docker allows developers and administrators to save costs and server resources. Proper testing after installation goes a long way to ensure you are ready to run your containers when needed.

Are you looking for a Linux server for your next Docker-dependent project? Liquid Web offers a variety of Dedicated Server solutions to suit your needs. Contact our sales team to learn more.

About the Author: Joseph Molloy

Liquid Web Security Operations tech Joseph spends his days cleaning up malware and doing his part to keep the Internet safe. He is interested in all things Linux and always looking for something new to learn. In addition, he enjoys cooking and playing guitar, is an avid horror and sci-fi reader, and is a fan of black metal music.

Refer a Friend
Get 33% off the first 3 months on a new VPS!
Categories
Have Some Questions?

Our Sales and Support teams are available 24 hours by phone or e-mail to assist.

1.800.580.4985
1.517.322.0434

Latest Articles

Tutorials

How to Install ClamAV

Read Article
Series

How to Use Disk Quotas in Dedicated Linux Servers with Plesk

Read Article
Hosting Basics

Guide on Connecting to Remote Servers Using SSH in Linux, Windows, or macOS Systems

Read Article
Featured Articles

New User Tutorial: What is DNS?

Read Article
Other

Difference Between AlmaLinux and Rocky Linux

Read Article