22 KiB
| description | keywords | title |
|---|---|---|
| Run the Docker daemon as a non-root user (Rootless mode) | security, namespaces, rootless | Run the Docker daemon as a non-root user (Rootless mode) |
Rootless mode allows running the Docker daemon and containers as a non-root user to mitigate potential vulnerabilities in the daemon and the container runtime.
Rootless mode does not require root privileges even during the installation of the Docker daemon, as long as the prerequisites are met.
Rootless mode was introduced in Docker Engine v19.03 as an experimental feature. Rootless mode graduated from experimental in Docker Engine v20.10.
How it works
Rootless mode executes the Docker daemon and containers inside a user namespace.
This is very similar to userns-remap mode, except that
with userns-remap mode, the daemon itself is running with root privileges,
whereas in rootless mode, both the daemon and the container are running without
root privileges.
Rootless mode does not use binaries with SETUID bits or file capabilities,
except newuidmap and newgidmap, which are needed to allow multiple
UIDs/GIDs to be used in the user namespace.
Prerequisites
-
You must install
newuidmapandnewgidmapon the host. These commands are provided by theuidmappackage on most distros. -
/etc/subuidand/etc/subgidshould contain at least 65,536 subordinate UIDs/GIDs for the user. In the following example, the usertestuserhas 65,536 subordinate UIDs/GIDs (231072-296607).
$ id -u
1001
$ whoami
testuser
$ grep ^$(whoami): /etc/subuid
testuser:231072:65536
$ grep ^$(whoami): /etc/subgid
testuser:231072:65536
Distribution-specific hint
Note: We recommend that you use the Ubuntu kernel.
- Ubuntu
- Debian GNU/Linux
- Arch Linux
- openSUSE
- CentOS 8 and Fedora
- CentOS 7
-
overlay2storage driver is enabled by default (Ubuntu-specific kernel patch). -
Known to work on Ubuntu 16.04, 18.04, and 20.04.
- To use the
overlay2storage driver (recommended), runsudo modprobe overlay permit_mounts_in_userns=1(Debian-specific kernel patch, introduced in Debian 10). Add the configuration to/etc/modprobe.dfor persistence.
- Add
kernel.unprivileged_userns_clone=1to/etc/sysctl.conf(or/etc/sysctl.d) and runsudo sysctl --system
-
sudo modprobe ip_tables iptable_mangle iptable_nat iptable_filteris required. This might be required on other distros as well depending on the configuration. -
Known to work on openSUSE 15.
-
You might need
sudo dnf install -y iptables. -
When SELinux is enabled, you may face
can't open lock file /run/xtables.lock: Permission deniederror. A workaround for this is tosudo dnf install -y policycoreutils-python-utils && sudo semanage permissive -a iptables_t. This issue is tracked in moby/moby#41230. -
Known to work on CentOS 8 and Fedora 33.
systemctl --userdoes not work by default. Rundockerd-rootless.shdirectly without systemd.
Known limitations
- Only the following storage drivers are supported:
overlay2(only if running with kernel 5.11 or later, or Ubuntu-flavored kernel, or Debian-flavored kernel)fuse-overlayfs(only if running with kernel 4.18 or later, andfuse-overlayfsis installed)vfs
- Cgroup is supported only when running with cgroup v2 and systemd. See Limiting resources.
- Following features are not supported:
- AppArmor
- Checkpoint
- Overlay network
- Exposing SCTP ports
- To use the
pingcommand, see Routing ping packets. - To expose privileged TCP/UDP ports (< 1024), see Exposing privileged ports.
IPAddressshown indocker inspectand is namespaced inside RootlessKit's network namespace. This means the IP address is not reachable from the host withoutnsenter-ing into the network namespace.- Host network (
docker run --net=host) is also namespaced inside RootlessKit.
Install
Note
If the system-wide Docker daemon is already running, consider disabling it:
$ sudo systemctl disable --now docker.service
- With packages (RPM/DEB)
- Without packages
Run dockerd-rootless-setuptool.sh install as a non-root user to set up the daemon:
$ dockerd-rootless-setuptool.sh install
[INFO] Creating /home/testuser/.config/systemd/user/docker.service
...
[INFO] Installed docker.service successfully.
[INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service`
[INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger testuser`
[INFO] Make sure the following environment variables are set (or add them to ~/.bashrc):
export PATH=/usr/bin:$PATH
export DOCKER_HOST=unix:///run/user/1000/docker.sock
If dockerd-rootless-setuptool.sh is not present, you may need to install the docker-ce-rootless-extras package manually, e.g.,
$ sudo apt-get install -y docker-ce-rootless-extras
$ curl -fsSL https://get.docker.com/rootless | sh
...
[INFO] Creating /home/testuser/.config/systemd/user/docker.service
...
[INFO] Installed docker.service successfully.
[INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service`
[INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger testuser`
[INFO] Make sure the following environment variables are set (or add them to ~/.bashrc):
export PATH=/home/testuser/bin:$PATH
export DOCKER_HOST=unix:///run/user/1000/docker.sock
The binaries will be installed at ~/bin.
See Troubleshooting if you faced an error.
Uninstall
To remove the systemd service of the Docker daemon, run dockerd-rootless-setuptool.sh uninstall:
$ dockerd-rootless-setuptool.sh uninstall
+ systemctl --user stop docker.service
+ systemctl --user disable docker.service
Removed /home/testuser/.config/systemd/user/default.target.wants/docker.service.
[INFO] Uninstalled docker.service
[INFO] This uninstallation tool does NOT remove Docker binaries and data.
[INFO] To remove data, run: `/usr/bin/rootlesskit rm -rf /home/testuser/.local/share/docker`
To remove the data directory, run rootlesskit rm -rf ~/.local/share/docker.
To remove the binaries, remove docker-ce-rootless-extras package if you installed Docker with package managers.
If you installed Docker with https://get.docker.com/rootless (Install without packages),
remove the binary files under ~/bin:
$ cd ~/bin
$ rm -f containerd containerd-shim containerd-shim-runc-v2 ctr docker docker-init docker-proxy dockerd dockerd-rootless-setuptool.sh dockerd-rootless.sh rootlesskit rootlesskit-docker-proxy runc vpnkit
Usage
Daemon
- With systemd (Highly recommended)
- Without systemd
Use systemctl --user to manage the lifecycle of the daemon:
$ systemctl --user start docker
To launch the daemon on system startup, enable the systemd service and lingering:
$ systemctl --user enable docker
$ sudo loginctl enable-linger $(whoami)
Starting Rootless Docker as a systemd-wide service (/etc/systemd/system/docker.service)
is not supported, even with the User= directive.
The following environment variables must be set:
$HOME: the home directory$XDG_RUNTIME_DIR: an ephemeral directory that is only accessible by the expected user, e,g,~/.docker/run. The directory should be removed on every host shutdown. The directory can be on tmpfs, however, should not be under/tmp. Locating this directory under/tmpmight be vulnerable to TOCTOU attack.
Remarks about directory paths:
- The socket path is set to
$XDG_RUNTIME_DIR/docker.sockby default.$XDG_RUNTIME_DIRis typically set to/run/user/$UID. - The data dir is set to
~/.local/share/dockerby default. The data dir should not be on NFS. - The daemon config dir is set to
~/.config/dockerby default. This directory is different from~/.dockerthat is used by the client.
Client
You need to specify the socket path explicitly.
To specify the socket path using $DOCKER_HOST:
$ export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock
$ docker run -d -p 8080:80 nginx
To specify the socket path using docker context:
$ docker context create rootless --description "for rootless mode" --docker "host=unix://$XDG_RUNTIME_DIR/docker.sock"
rootless
Successfully created context "rootless"
$ docker context use rootless
rootless
Current context is now "rootless"
$ docker run -d -p 8080:80 nginx
Best practices
Rootless Docker in Docker
To run Rootless Docker inside "rootful" Docker, use the docker:<version>-dind-rootless
image instead of docker:<version>-dind.
$ docker run -d --name dind-rootless --privileged docker:20.10-dind-rootless
The docker:<version>-dind-rootless image runs as a non-root user (UID 1000).
However, --privileged is required for disabling seccomp, AppArmor, and mount
masks.
Expose Docker API socket through TCP
To expose the Docker API socket through TCP, you need to launch dockerd-rootless.sh
with DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS="-p 0.0.0.0:2376:2376/tcp".
$ DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS="-p 0.0.0.0:2376:2376/tcp" \
dockerd-rootless.sh \
-H tcp://0.0.0.0:2376 \
--tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem
Expose Docker API socket through SSH
To expose the Docker API socket through SSH, you need to make sure $DOCKER_HOST
is set on the remote host.
$ ssh -l <REMOTEUSER> <REMOTEHOST> 'echo $DOCKER_HOST'
unix:///run/user/1001/docker.sock
$ docker -H ssh://<REMOTEUSER>@<REMOTEHOST> run ...
Routing ping packets
On some distributions, ping does not work by default.
Add net.ipv4.ping_group_range = 0 2147483647 to /etc/sysctl.conf (or
/etc/sysctl.d) and run sudo sysctl --system to allow using ping.
Exposing privileged ports
To expose privileged ports (< 1024), set CAP_NET_BIND_SERVICE on rootlesskit binary.
$ sudo setcap cap_net_bind_service=ep $HOME/bin/rootlesskit
Or add net.ipv4.ip_unprivileged_port_start=0 to /etc/sysctl.conf (or
/etc/sysctl.d) and run sudo sysctl --system.
Limiting resources
Limiting resources with cgroup-related docker run flags such as --cpus, --memory, --pids-limit
is supported only when running with cgroup v2 and systemd.
See Changing cgroup version to enable cgroup v2.
If docker info shows none as Cgroup Driver, the conditions are not satisfied.
When these conditions are not satisfied, rootless mode ignores the cgroup-related docker run flags.
See Limiting resources without cgroup for workarounds.
If docker info shows systemd as Cgroup Driver, the conditions are satisfied.
However, typically, only memory and pids controllers are delegated to non-root users by default.
$ cat /sys/fs/cgroup/user.slice/user-$(id -u).slice/user@$(id -u).service/cgroup.controllers
memory pids
To allow delegation of all controllers, you need to change the systemd configuration as follows:
# mkdir -p /etc/systemd/system/user@.service.d
# cat > /etc/systemd/system/user@.service.d/delegate.conf << EOF
[Service]
Delegate=cpu cpuset io memory pids
EOF
# systemctl daemon-reload
Note
Delegating
cpusetrequires systemd 244 or later.
Limiting resources without cgroup
Even when cgroup is not available, you can still use the traditional ulimit and cpulimit,
though they work in process-granularity rather than in container-granularity,
and can be arbitrarily disabled by the container process.
For example:
-
To limit CPU usage to 0.5 cores (similar to
docker run --cpus 0.5):docker run <IMAGE> cpulimit --limit=50 --include-children <COMMAND> -
To limit max VSZ to 64MiB (similar to
docker run --memory 64m):docker run <IMAGE> sh -c "ulimit -v 65536; <COMMAND>" -
To limit max number of processes to 100 per namespaced UID 2000 (similar to
docker run --pids-limit=100):docker run --user 2000 --ulimit nproc=100 <IMAGE> <COMMAND>
Troubleshooting
Errors when starting the Docker daemon
[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: operation not permitted
This error occurs mostly when the value of /proc/sys/kernel/unprivileged_userns_clone is set to 0:
$ cat /proc/sys/kernel/unprivileged_userns_clone
0
To fix this issue, add kernel.unprivileged_userns_clone=1 to
/etc/sysctl.conf (or /etc/sysctl.d) and run sudo sysctl --system.
[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: no space left on device
This error occurs mostly when the value of /proc/sys/user/max_user_namespaces is too small:
$ cat /proc/sys/user/max_user_namespaces
0
To fix this issue, add user.max_user_namespaces=28633 to
/etc/sysctl.conf (or /etc/sysctl.d) and run sudo sysctl --system.
[rootlesskit:parent] error: failed to setup UID/GID map: failed to compute uid/gid map: No subuid ranges found for user 1001 ("testuser")
This error occurs when /etc/subuid and /etc/subgid are not configured. See Prerequisites.
could not get XDG_RUNTIME_DIR
This error occurs when $XDG_RUNTIME_DIR is not set.
On a non-systemd host, you need to create a directory and then set the path:
$ export XDG_RUNTIME_DIR=$HOME/.docker/xrd
$ rm -rf $XDG_RUNTIME_DIR
$ mkdir -p $XDG_RUNTIME_DIR
$ dockerd-rootless.sh
Note: You must remove the directory every time you log out.
On a systemd host, log into the host using pam_systemd (see below).
The value is automatically set to /run/user/$UID and cleaned up on every logout.
systemctl --user fails with "Failed to connect to bus: No such file or directory"
This error occurs mostly when you switch from the root user to an non-root user with sudo:
# sudo -iu testuser
$ systemctl --user start docker
Failed to connect to bus: No such file or directory
Instead of sudo -iu <USERNAME>, you need to log in using pam_systemd. For example:
- Log in through the graphic console
ssh <USERNAME>@localhostmachinectl shell <USERNAME>@
The daemon does not start up automatically
You need sudo loginctl enable-linger $(whoami) to enable the daemon to start
up automatically. See Usage.
iptables failed: iptables -t nat -N DOCKER: Fatal: can't open lock file /run/xtables.lock: Permission denied
This error may happen when SELinux is enabled on the host.
A known workaround is to run the following commands to disable SELinux for iptables:
$ sudo dnf install -y policycoreutils-python-utils && sudo semanage permissive -a iptables_t
This issue is tracked in moby/moby#41230.
docker pull errors
docker: failed to register layer: Error processing tar file(exit status 1): lchown <FILE>: invalid argument
This error occurs when the number of available entries in /etc/subuid or
/etc/subgid is not sufficient. The number of entries required vary across
images. However, 65,536 entries are sufficient for most images. See
Prerequisites.
docker: failed to register layer: ApplyLayer exit status 1 stdout: stderr: lchown <FILE>: operation not permitted
This error occurs mostly when ~/.local/share/docker is located on NFS.
A workaround is to specify non-NFS data-root directory in ~/.config/docker/daemon.json as follows:
{"data-root":"/somewhere-out-of-nfs"}
docker run errors
--cpus, --memory, and --pids-limit are ignored
This is an expected behavior on cgroup v1 mode. To use these flags, the host needs to be configured for enabling cgroup v2. For more information, see Limiting resources.
Networking errors
docker run -p fails with cannot expose privileged port
docker run -p fails with this error when a privileged port (< 1024) is specified as the host port.
$ docker run -p 80:80 nginx:alpine
docker: Error response from daemon: driver failed programming external connectivity on endpoint focused_swanson (9e2e139a9d8fc92b37c36edfa6214a6e986fa2028c0cc359812f685173fa6df7): Error starting userland proxy: error while calling PortManager.AddPort(): cannot expose privileged port 80, you might need to add "net.ipv4.ip_unprivileged_port_start=0" (currently 1024) to /etc/sysctl.conf, or set CAP_NET_BIND_SERVICE on rootlesskit binary, or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied.
When you experience this error, consider using an unprivileged port instead. For example, 8080 instead of 80.
$ docker run -p 8080:80 nginx:alpine
To allow exposing privileged ports, see Exposing privileged ports.
ping doesn't work
Ping does not work when /proc/sys/net/ipv4/ping_group_range is set to 1 0:
$ cat /proc/sys/net/ipv4/ping_group_range
1 0
For details, see Routing ping packets.
IPAddress shown in docker inspect is unreachable
This is an expected behavior, as the daemon is namespaced inside RootlessKit's
network namespace. Use docker run -p instead.
--net=host doesn't listen ports on the host network namespace
This is an expected behavior, as the daemon is namespaced inside RootlessKit's
network namespace. Use docker run -p instead.
Network is slow
Docker with rootless mode uses slirp4netns as the default network stack if slirp4netns v0.4.0 or later is installed. If slirp4netns is not installed, Docker falls back to VPNKit.
Installing slirp4netns may improve the network throughput. See RootlessKit documentation for the benchmark result.
Also, changing MTU value may improve the throughput.
The MTU value can be specified by adding Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_MTU=<INTEGER>"
to ~/.config/systemd/user/docker.service and then running systemctl --user daemon-reload.
docker run -p does not propagate source IP addresses
This is because Docker with rootless mode uses RootlessKit's builtin port driver by default.
The source IP addresses can be propagated by adding Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns"
to ~/.config/systemd/user/docker.service and then running systemctl --user daemon-reload.
Note that this configuration decreases throughput. See RootlessKit documentation for the benchmark result.
Tips for debugging
Entering into dockerd namespaces
The dockerd-rootless.sh script executes dockerd in its own user, mount, and network namespaces.
For debugging, you can enter the namespaces by running
nsenter -U --preserve-credentials -n -m -t $(cat $XDG_RUNTIME_DIR/docker.pid).