Run the docker daemon as a non-root user (rootless mode). (2023)

Table of Contents

How does it work requirements Distribution Specific Notice Known limitations install manual installation night channel purpose of use evil Client Recommended course of action Docker ohne Root in Docker Provide the Docker API socket over TCP Provide the Docker API socket over SSH Forward ping packets Expose privileged ports resource limitation Change network stack Problem solving Could not start docker daemon Drag dockererror running dockererror network error FAQs Videos References

Estimated reading time:15 minutes

Rootless mode allows the Docker daemon and containers to run as a non-root user to mitigate potential vulnerabilities in the daemon and container runtime.

Rootless mode also does not require root privileges during the installation of the Docker daemon, as long as therequirementsare met.

Rootless mode was introduced in Docker Engine v19.03.

Use

Rootless mode is an experimental feature and has some limitations. For more details seeKnown limitations.

How does it work

Rootless mode runs the docker daemon and containers in a username space. This is very similar toUserns-remap-Modus, except that withuser reassignmentmode, the daemon runs with root privileges, while in unrooted mode, both the daemon and the container run without root privileges.

Rootless mode does not use binaries withWEATHERbits or file abilities, exceptnew uid mapyneuegidmap, which are required to allow the use of multiple UIDs/GIDs in the username space.

requirements

you must installnew uid mapyneuegidmapin the host. These commands are provided by theuid mappackage in most distributions.
/etc/subidy/etc/subgidmust contain at least 65,536 secondary UIDs/GIDs for the user. In the following example, the userTestbenutzerhas 65,536 UID/GID of children (231072-296607).

ps I would like to -tu1001ps who I amTestbenutzerps grep^pswho I am): /etc/subidTestbenutzer:231072:65536ps grep^pswho I am): /etc/subgidTestbenutzer:231072:65536

Distribution Specific Notice

Note: We recommend using the Ubuntu kernel.

ubuntu

No preparation required.
overlap2The storage driver is enabled by default (Ubuntu specific kernel patch).
It is known to work on Ubuntu 16.04, 18.04 and 20.04.

Debian GNU/Linux

Addkernel.unprivileged_userns_clone=1a/etc/sysctl.conf(o/etc/sysctl.d) and racesudo sysctl --system.
Use theoverlap2Storage driver (recommended), runsudo modprobe superposición allow_mounts_in_userns=1(Debian-specific kernel patch introduced in Debian 10). add configuration/etc/modprobe.dfor resistance
Known for working on Debian 9 and 10.overlap2only supported and required since Debian 10Modprobesetup described above.

Arch-Linux

Addkernel.unprivileged_userns_clone=1a/etc/sysctl.conf(o/etc/sysctl.d) and racesudo sysctl --system

openSUSE

sudo modprobe ip_tables iptable_mangle iptable_nat iptable_filterit is required. Depending on the configuration, this may also be necessary on other distributions.
Known for working on openSUSE 15.

Fedora 31 and later

Fedora 31 uses cgroup v2 by default, which does not yet support containerd runtime.Runsudo grubby --update-kernel=TODO --args="systemd.unified_cgroup_hierarchy=0"to use cgroup v1.
you may needsudo dnf install -y iptables.

CentOS 8

you may needsudo dnf install -y iptables.

CentOS 7

Adduser.max_user_namespaces=28633a/etc/sysctl.conf(o/etc/sysctl.d) and racesudo sysctl --system.
systemctl --userit doesn't work by default. Run the daemon directly without systemd:dockerd-rootless.sh --experimental --vfs storage driver
Known for working on CentOS 7.7. Older versions require additional configuration steps.
CentOS 7.6 and earlier requiredCOPR packagevbatts/shadow-utils-newxidmapTo be installed.
CentOS 7.5 and earlier must be runningsudo grubby --update-kernel=ALL --args="user_namespace.enable=1"and a subsequent reboot.

Known limitations

OnlyvfThe graphics driver is supported. However, on Ubuntu and Debian 10overlap2ycoverare also compatible.
The following features are not supported:
- Grupos C (inclDocker-Top, which depends on cgroups)
- AppArmor
- control
- overlay network
- Exposing SCTP ports
Use theRingcommand seeForward ping packets.
For information on exposing privileged TCP/UDP ports (< 1024), seeExpose privileged ports.
IP adressIt is shown inInspect dockerand is named within the RootlessKit network namespace. This means that the IP address cannot be reached from the host without it.nsenter-ing to the network namespace.
host network (Docker-Run --net=host) is also named within RootlessKit.

install

The installation script is available athttps://get.docker.com/rootless.

(Video) Hardening Docker Daemon with Rootless Mode

ps shirred ruffle-fsSLhttps://get.docker.com/rootless | Sch

Be sure to run the script as a non-root user. To install Rootless Docker as root user, read themanual installationSteps.

The script displays the required environment variables:

ps shirred ruffle-fsSLhttps://get.docker.com/rootless | Sch...# Docker binaries are installedin/start/testbenutzer/bin# WARNING: Dockerd is notinYour current PATH or pointing to /home/testuser/bin/dockrd# Make sure the following environment variables are presentadjusted to (or add them to ~/.bashrc):export PATH=/home/testuser/bin:$FARexport PATH=$RUTH:/sbinexportar DOCKER_HOST=unix:///run/user/1001/docker.sock## To control the execution of the Docker service:# systemctl--User (start | stop | restart)stevedore#

manual installation

To manually install the binaries without using the installer, extractdocker-rootless-extras-<Version>.tgzWithDocker-<Version>.tgzoutsidehttps://download.docker.com/linux/static/stable/x86_64/

If you already have the docker daemon running as root, all you have to do is extract itdocker-rootless-extras-<Version>.tgz. The file can be unzipped to any directory listed in the$RUTA. For example,/usr/local/bin,o$HOME/container.

night channel

To install an overnight version of Rootless Docker, run the install scriptCHANNEL="night":

ps shirred ruffle-fsSLhttps://get.docker.com/rootless |CANAL="night"Sch

Raw binaries are available at:

https://master.dockerproject.org/linux/x86_64/docker-rootless-extras.tgz
https://master.dockerproject.org/linux/x86_64/docker.tgz

purpose of use

evil

To usesystemctl --userTo manage the daemon's lifecycle:

ps systemctl--Userlaunch docker

To start the daemon at system boot, enable the systemd service and stay:

ps systemctl--User enablestevedoreps sudologinctl enable-staypswho I am)

To run the daemon directly without systemd, you must rundockerd-rootless.shInstead ofDockerd:

ps dockerd-rootless.sh--Experimental --Storage Controllervf

Since rootless mode is experimental, you need to run itdockerd-rootless.shCon--Experimental.

Also, you need--vfs storage controllerunless you are using Ubuntu or Debian 10kernel. You don't need to worry about these flags if you use systemd to manage the daemon, as these flags are automatically added to the systemd unit file.

Notes on directory paths:

The socket path is set to$XDG_RUNTIME_DIR/docker.sockDefault.$XDG_RUNTIME_DIRis normally set/run/user/$UID.
The data directory is configured to~/.local/share/dockerDefault.
The exec directory is configured to$XDG_RUNTIME_DIR/dockerDefault.
The daemon's configuration directory is set to~/.config/docker(No~/.docker, which is used by the client) by default.

Other observations:

Whatdockerd-rootless.shScript is runningDockerdin their own user, mount, and network namespaces. You can enter the namespaces by runningnsenter -U --preserve-credentials -n -m -t $(cat $XDG_RUNTIME_DIR/docker.pid).
Docker-Infoshowsrootlessinsecurity options
Docker-InfoshowsnoneWhatgroup c driver

Client

You must explicitly specify the socket path.

(Video) Docker rootless install and setup in Ubuntu

This is how you specify the socket path$DOCKER_HOST:

ps ExportDOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sockps running docker-d -p8080:80

This is how you specify the socket pathdocker context:

ps Create docker context without root--Designation "for rootless mode" -- Steward "host=unix://$XDG_RUNTIME_DIR/docker.calcetín"rootlessContext "no root" created successfullyps Using the docker context without rootrootlessCurrent context is now rootlessps running docker-d -p8080:80

Recommended course of action

Docker ohne Root in Docker

To run docker without root inside the root docker, use thedocker:<version>-dind-rootlessimage insteadDocker:<Version>-dind.

ps running docker-d --Namedind-rootless--privilegeddocker: 19.03-dind-no-root--Experimental

Whatdocker:<version>-dind-rootlessThe image runs as a non-root user (UID 1000).--privilegedIt is needed to disable seccomp, AppArmor and mountmasks.

Provide the Docker API socket over TCP

To expose the docker api socket over TCP you need to start itdockerd-rootless.shConDOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS="-p 0.0.0.0:2376:2376/tcp".

ps DOCKERD_ROOTLESS_ROOTLESSSKIT_FLAGS="-p 0.0.0.0:2376:2376/tcp" \dockerd-rootless.sh--Experimental \ -Htcp://0.0.0.0:2376\ --tlsverify --tlcacert=What. pem--tlscert=cert.pem--tlskey=clave.pem

Provide the Docker API socket over SSH

To expose the Docker API socket over SSH, you need to make sure that$DOCKER_HOSTset on the remote host.

ps sch-l<REMOTE USER> <REMOTE HOST>'echo $DOCKER_HOST'unix:///run/user/1001/docker.sockps stevedore-Hrun ssh://<REMOTE USER>@<REMOTE HOST> ...

Forward ping packets

In some distributionsRingit doesn't work by default.

Addnet.ipv4.ping_group_range = 0 2147483647a/etc/sysctl.conf(o/etc/sysctl.d) and racesudo sysctl --systemto allow the useRing.

Expose privileged ports

To expose privileged ports (< 1024), configureCAP_NET_BIND_SERVICEandRootlesskittracks.

ps sudoSetcapcap_net_bind_service=episode$HOUSEHOLD/bin/rootlesskit

or addnet.ipv4.ip_unprivileged_port_start=0a/etc/sysctl.conf(o/etc/sysctl.d) and racesudo sysctl --system.

resource limitation

In docker 19.03, rootless mode ignores those related to cgrouprunning dockerflags like--cpus,--Memory, --pids-limit`.

However, you can still use the traditional one.reductionyCPU glue, though they operate at process granularity rather than container granularity and can be arbitrarily disabled by the container process.

For example:

To limit CPU usage to 0.5 cores (similar todocker run --cpus 0.5):docker run <IMAGE> cpulimit --limit=50 --include-children <COMMAND>
To limit the maximum VSZ to 64 MB (similar todocker execution - memory 64m):docker run <IMAGE> sh -c "ulimit -v 65536; <COMMAND>"
(Video) How to Running Docker Containers as Non Root User? | Docker Best Practices | Docker as Non Root
To limit the maximum number of processes to 100 per namespace uid 2000 (similar todocker execute --pids-limit=100):docker run --user 2000 --from nproc=100 <IMAGE> <COMMAND>

Change network stack

dockerd-rootless.shUseslider4netns(if installed) orVPNKitby default as a network stack.

These network stacks run in user space and can have a performance overhead. consultRootlessKit DocumentationFor more information.

Optionally you can uselxc-user-nicinstead for better performancelxc-user-nic, you need to edit/etc/lxc/lxc-usernetand adjust$DOCKERD_ROOTLESS_ROOTLESSKIT_NET=lxc-user-nic.

Problem solving

Could not start docker daemon

[rootlesskit:parent] error: failed to start child: fork/exec /proc/self/exe: operation not allowed

This error occurs mainly when the value of/proc/sys/kernel/unprivileged_userns_cloneset to 0:

ps Gato/proc/sys/kernel/unprivileged_userns_clone0

To fix this problem, addkernel.unprivileged_userns_clone=1a/etc/sysctl.conf(o/etc/sysctl.d) and racesudo sysctl --system.

[rootlesskit:parent] Error: failed to start child: fork /exec /proc/self/exe: no space left on device

This error occurs mainly when the value of/proc/sys/user/max_user_namespacesit's too small:

ps Gato/proc/sys/user/max_user_namespaces0

To fix this problem, adduser.max_user_namespaces=28633a/etc/sysctl.conf(o/etc/sysctl.d) and racesudo sysctl --system.

[rootlesskit:parent] Error: failed to configure uid/gid mapping: failed to calculate uid/gid mapping: no subuid ranges found for user 1001 ("test user")

This error occurs when/etc/subidy/etc/subgidthey are not configured. Watchrequirements.

Could not get XDG_RUNTIME_DIR

This error occurs when$XDG_RUNTIME_DIRis not configured.

On a non-systemd host, you need to create a directory and then set the path:

ps ExportXDG_RUNTIME_DIR=$HOUSEHOLD/.docker/xrdps rm -rf $XDG_RUNTIME_DIRps mkdir -p $XDG_RUNTIME_DIRps dockerd-rootless.sh--Experimental

Use:You must delete the directory each time you log off.

On a systemd host, log in to the host withpam_systemd(see below). The value is automatically set to/run/user/$UIDand cleaned at each logout.

systemctl --userschlägt fehl mit „Error connecting to bus: No such file or directory“

This error mostly occurs when you switch from root user to non-root user withsudo:

# sudo -iuTestbenutzerps systemctl--Userlaunch dockerFailed to connect to bus: file or directory does not exist

(Video) Run docker command without sudo in Ubuntu | Docker for beginners #2

Instead ofsudo -iu <USERNAME>, you have to log in withpam_systemd. For example:

Log in using the graphical console
ssh <USERNAME>@localhost
machinectl shell <USERNAME>@

The daemon does not start automatically.

You needsudo loginctl enable-linger $(whoami)to start the daemon automatically. Watchpurpose of use.

Dockerdfails with "unrooted mode is only supported when running in experimental mode"

This error occurs when the daemon is started without the--Experimentalflag.seepurpose of use.

`Drag docker`error

docker: failed to register layer: error processing tar file (initial state 1): lchown <FILE>: invalid argument

This error occurs when the number of tickets available in/etc/subido/etc/subgidis not sufficient. The number of inputs required varies by image. However, 65,536 entries are enough for most images. Watchrequirements.

`running docker`error

--cpus,--Memory, y--pids-limitare ignored

This is the expected behavior in Docker 19.03. For more information, seeresource limitation.

Daemon error response: cgroups: cgroup mount point does not exist: unknown.

This error mostly occurs when the host is running on cgroup v2. see sectionFedora 31 or higherLearn how to change hosts to use cgroup v1.

network error

docker -pfails withcannot expose privileged port

docker -pfails with this error if a privileged port (< 1024) is specified as the host port.

ps running docker-p80:80 nginx: alpinoDocker: Daemon Error Response: Driver failed to schedule external connectivity at endpoint =0" (currently 1024) in /etc/sysctl.conf, or set CAP_NET_BIND_SERVICE in the rootlesskit binary, or choose a higher port number (>=1024): listen TCP 0.0.0.0:80:Tie: Permission denied.

If you encounter this error, consider using a non-privileged port instead. For example 8080 instead of 80.

ps running docker-p8080:80 nginx: alpino

For information on the exposure of privileged ports, seeExpose privileged ports.

ping is not working

Ping doesn't work when/proc/sys/net/ipv4/ping_group_rangeis set to1 0:

ps Gato/proc/sys/net/ipv4/ping_group_range1 0

For more details seeForward ping packets.

IP adressIt is shown inInspect dockeris unreachable

This is expected behavior since the daemon is named within the RootlessKit network namespace. Usedocker -pinstead of this.

(Video) Securing The Docker Daemon

--net=Hostdoes not listen on ports in host network namespace

This is expected behavior since the daemon is named within the RootlessKit network namespace. Usedocker -pinstead of this.

security,namespaces,rootless

FAQs

How to run Docker with non root user? ›

Manage Docker as a non-root user

The Docker daemon always runs as the root user. If you don't want to preface the docker command with sudo , create a Unix group called docker and add users to it. When the Docker daemon starts, it creates a Unix socket accessible by members of the docker group.

Learn More Now ›

Does Docker daemon require root privileges to run? ›

Rootless mode does not require root privileges even for installation of the Docker daemon, as long as the prerequisites are satisfied. Rootless mode was introduced in Docker Engine 19.03.

Discover More Details ›

Is it a good practice to run the container as a non root user if possible? ›

Running your containers as non-root prevents malicious code from gaining permissions in the container host and means that not just anyone who has pulled your container from the Docker Hub can gain access to everything on your server, for example.

Get More Info ›

How do I run a Docker as a specific user? ›

In the command line, you need to run docker run : To specify the user simply add the option --user <user> to change to another user when you start the docker container.

How do I become a non-root user? ›

Procedure

To create the non-root user, type the following commands: useradd -c 'Admin User' -d /home/stiguser -m -s /bin/bash stiguser passwd stiguser. ...
Edit the /etc/sudoers file. ...
Verify that the new user can log in from a remote host and use the sudo command to become a root user.

Which Docker daemon does not require root privileges to run? ›

Docker Daemon does not require root privileges to run. Application running in a VM is hidden from the host OS with the help of Hypervisor/VMM.

Discover More Details ›

What is Docker rootless vs root? ›

Rootless Docker installations require only the Docker daemon to run as root, while Docker containers operate as regular Linux users. Docker usually requires root access on the host system, creating a security risk since both the Docker container and the daemon service will operate as root.

Keep Reading ›

What is the difference between root and rootless container? ›

Rootless containers are containers that can be created, run, and otherwise managed by unprivileged users (as opposed to the root user). To be considered fully rootless, both the container runtime and the container must be running without root privileges.

Can I run Docker without admin rights? ›

While Docker Desktop on Windows can be run without having Administrator privileges, it does require them during installation. On installation the user gets a UAC prompt which allows a privileged helper service to be installed.

See Details ›

Why you should avoid running applications as root? ›

One of the key arguments to avoid running a container as root is to prevent privilege escalation. A root user inside a container can basically run every command as a root user on a traditional host system. Think of installing software packages, start services, create users, etc.

Get More Info ›

Why does Docker run as root? ›

Docker containers are designed to be accessed as root users to execute commands that non-root users can't execute. We can run a command in a running container using the docker exec. We'll use the -i and -t option of the docker exec command to get the interactive shell with TTY terminal access.

Learn More Now ›

Why is it better to use sudo instead of root? ›

With sudo in place, users no longer had to change to the root user or log into that account to run administrative commands (such as installing software). Users could run those admin activities through sudo with the same effect as if they were run from the root user account.

Know More ›

Should docker run as root or user? ›

Processes in a Docker container should not be run as root. It's safer to run your applications as a non-root user which you specify as part of your Dockerfile or when using docker run .

Learn More Now ›

What user does docker run as by default? ›

By default, a Docker Container runs as a Root user.

Get More Info ›

Can I use docker for personal use? ›

Is Docker Personal right for you? Docker Personal is free and makes Docker accessible to individuals, students, educators, non-profit organizations, and small businesses* through a full-functioned subscription offering. The Docker Personal subscription is best suited for: Individual developers.

Know More ›

How do I login as a non-root user in Linux? ›

Run the visudo command or directly edit the /etc/sudoers file with a text editor. Create a user login and password.
...
To use the sudo command, you must install the following RPMs from the AIX® Toolbox for Linux Applications website:

cyrus-sasl.
db.
gettext.
libgcc.
ncurses.
openldap.
sudo.
zlib.

Know More ›

How do I give permission to non-root user in Linux? ›

sudo (superuser do) allows you to configure non-root users to run root level commands without being root. Access can be given by the root level administrator through configuration of the /etc/sudoers file.

Read The Full Story ›

What can a non-root user do? ›

Non-root or non-administrator users can run only certain commands based on the roles and permissions assigned. Non-root or Non-Administrator users are of two types: Users with administrative privileges. Users without administrative privileges.

Find Out More ›

How to make Docker run without sudo? ›

Run Docker commands without sudo

Add the docker group if it doesn't already exist. $ sudo groupadd docker.
Add the connected user $USER to the docker group. Optionally change the username to match your preferred user. $ sudo gpasswd -a $USER docker. ...
Restart the docker daemon.

Explore More ›

How to run Docker commands without sudo? ›

By adding our Linux username to the Unix group docker, we can bypass this. When the Docker daemon starts, it creates a Unix socket accessible by the members of the docker group. Running Docker commands with the sudo command is a sound security restriction.

Learn More ›

Is rootless Docker more secure? ›

Rootless mode -- which represents a major step forward in Docker container security -- creates a less-privileged, nonroot daemon. This daemon can build a full Docker Engine and container stack without root privileges, forming a more secure environment.

How to run Docker daemon command? ›

To run the daemon you type dockerd . To run the daemon with debug output, use dockerd --debug or add "debug": true to the daemon. json file. Enable experimental features by starting dockerd with the --experimental flag or adding "experimental": true to the daemon.

Read On ›

How to run Docker daemon in Linux? ›

HTTP/HTTPS proxy

Create a systemd drop-in directory for the docker service: $ sudo mkdir -p /etc/systemd/system/docker.service.d.
Flush changes and restart Docker. $ sudo systemctl daemon-reload $ sudo systemctl restart docker.

What is the risk of running container as root? ›

Running containers as root is a bad idea for security. This has been shown time and time again. Hackers find new ways of escaping out of the container, and that grants unfettered access to the host or Kubernetes node.

Read The Full Story ›

Is it recommended to use the root account for regular use? ›

We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. As a best practice, safeguard your root user credentials and don't use them for everyday tasks. Root user credentials are only used to perform a few account and service management tasks.

Know More ›

Is sudo safer than root? ›

Having root user privileges can be dangerous, but using sudo instead of su can help you keep your system more secure. If you are using Linux and you want your actions to be safe, you need to know and understand these two commands.

What is a non root container? ›

Rootless containers refer to the ability of a non-privileged user to create, run and manage containers. The container which will be run by a non-root user will have the entire unprivileged container runtime. We should always run containers using non-root users.

Get More Info ›

What is the difference between root user and normal user? ›

The root user in GNU/Linux is the user which has administrative access to your system. Normal users do not have this access for security reasons.

Get More Info Here ›

What is the difference between root user and sudo user? ›

Executive summary: "root" is the actual name of the administrator account. "sudo" is a command which allows ordinary users to perform administrative tasks. "Sudo" is not a user.

See Details ›

Does sudo make you root? ›

Sudo allows a system administrator to delegate authority to give certain users—or groups of users—the ability to run commands as root or another user while providing an audit trail of the commands and their arguments. Sudo is an alternative to su for running commands as root.

Read On ›

Why we should not use root user in Linux? ›

The Bad. The root is the superuser account in Unix and Linux based systems. Once we have access to the root account, we have complete system access. Because the username is always root and the access rights are unlimited, this account is the most valuable target for hackers.

Learn More Now ›

What is the default user for docker in Linux? ›

The default user in a Dockerfile is the user of the parent image. For example, if your image is derived from an image that uses a non-root user example: swuser , then RUN commands in your Dockerfile will run as swuser .

Learn More Now ›

Why is Docker no longer free? ›

For companies with more than 250 employees or more than $10 million in revenue, they must use a paid subscription. Docker officials said that this adjustment is their exploration of a sustainable business model. Docker is no longer free for everyone because the company has decided to focus on its enterprise offerings.

Know More ›

Can I still use Docker without Docker desktop? ›

Since we're installing Docker directly inside of WSL 2 you won't need Docker Desktop installed to make this work. If you previously had Docker Desktop installed you may also want to delete a few symlinks that Docker adds to WSL 2.

Tell Me More ›

Is Docker not free anymore? ›

Docker Desktop remains free for small businesses (fewer than 250 employees AND less than $10 million in annual revenue), personal use, education, and non-commercial open source projects. There is a grace period until January 31, 2022, for those that require a paid subscription to use Docker Desktop.

Can I run docker without admin rights? ›

Why is docker no longer free? ›

Learn More ›

Can I use docker desktop without signing in? ›

🔗 Yes, you can use Docker Desktop offline. However, you cannot access features that require an active internet connection. Additionally, any functionality that requires you to sign won't work while using Docker Desktop offline or in air-gapped environments.

Tell Me More ›