Daemon runs as root
Client controls daemon without authentication
docker run -v /:/host
docker run -v /var/run/docker.sock:
docker run --privileged
Running as non-root in a container
Forcing a user docker run/exec --user $(id -u):$(id -g) ...
Executing docker
from a non-root account
Enabling user namespace mapping
Running containers as non-root
Based on user namespaces
GA since Docker 20.10
OverlayFS only on Ubuntu
Reduced network performance
Unable to open ports below 1024
No cgroup (resource management)
Registers dockerd
as systemd user unit
curl -fsSL https://get.docker.com/rootless | sh
docker context use rootless
Docker Rootless in Docker Rootful
docker run -d --name dind-rootless --privileged \
docker:20.10-dind-rootless
Privileged container is required for:
Remote access to rootless Docker via secure TCP
export DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS="-p 0.0.0.0:2376:2376/tcp"
dockerd-rootless.sh \
--host tcp://0.0.0.0:2376 \
--tlsverify \
--tlscacert=ca.pem \
--tlscert=cert.pem \
--tlskey=key.pem
Remoting through SSH also works…
…but DOCKER_HOST
must be set and available
Resource management required cgroup v2
Container UID 0 is mapped to host UID of user
All other container UIDs are mapped to high UIDs
Rootless Podman is also a thing
rootlesskit --net=slirp4netns --copy-up=/etc --disable-host-loopback \
buildkitd
(add --oci-worker-snapshotter=native
when fuse-overlayfs
produces errors)
buildctl --addr unix:///run/user/$UID/buildkit/buildkitd.sock \
build ...
docker run --name buildkitd -d \
--security-opt seccomp=unconfined \
--security-opt apparmor=unconfined \
--device /dev/fuse \
moby/buildkit:rootless --oci-worker-no-process-sandbox
buildctl --addr docker-container://buildkitd \
build ...
mkdir -p ~/bin
curl -sLo bin/containerd-rootless.sh https://github.com/containerd/nerdctl/raw/master/extras/rootless/containerd-rootless.sh
curl -sLo bin/containerd-rootless-setuptool.sh https://github.com/containerd/nerdctl/raw/master/extras/rootless/containerd-rootless-setuptool.sh
R=containerd/nerdctl
V=v0.11.2
P=extras/rootless
S=containerd-rootless-setuptool.sh
curl -sL https://github.com/$R/raw/$V/$P/$S | \
bash -s install
It’s all based on user namespaces
The person behind rootless implementations: Akihiro Suda
The code behind setting up rootless: rootlesskit
Networking for rootless: slirp4netns
Home of Rootless Containers
Homebrew tap maintained by @nicholasdille
brew tap nicholasdille/tap
brew install containerd buildkit nerdctl
Follow the official documentation (links above)
Very much work in progress
Please report issues
brew tap nicholasdille/tap
brew tap nicholasdille/immortal
brew install dockerd-rootless
brew immortal start dockerd-rootless
docker context create rootless \
--description "Docker Rootless" \
--docker "host=unix:///home/linuxbrew/.linuxbrew/var/run/dockerd/docker.sock"
docker context use rootless
docker version
brew tap nicholasdille/tap
brew tap nicholasdille/immortal
brew install buildkitd-rootless
brew immortal start buildkitd-rootless
export BUILDKIT_HOST=unix:///home/linuxbrew/.linuxbrew/var/run/buildkitd/buildkit/buildkitd.sock
buildctl build ...
brew tap nicholasdille/tap
brew tap nicholasdille/immortal
brew install containerd-rootless
brew immortal start containerd-rootless
brew tap nicholasdille/tap
brew tap nicholasdille/immortal
brew install nerdctl-immortal
brew immortal start nerdctl-containerd
brew immortal start nerdctl-buildkitd
nerdctl-rootless version
Requires cgroup v2, systemd user, uidmap
Requires feature gate KubeletInUserNamespace
Official documentation, some loose ends
Requires cgroup v2
export DOCKER_HOST=unix://${XDG_RUNTIME_DIR}/docker.sock
kind create cluster
usernetes: Run Kubernetes without root privileges
sysbox: Open-source, next-generation “runc” that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs
WSL2 and cgroup v2: Requires change in Microsoft owned init for service VM