The support for running Docker daemon(dockerd) as a normal user i.e in rootless mode was added recently in v19.03.0-beta3. We will be exploring the following topics around it:
Later as a continuation to this post we will also discuss things such as what it means for the container eco system, how it all works internally and how exactly it has been implemented.
We can install the latest Docker beta verion in following ways:
To install the beta version 19.03.0-beta3 of Docker on linux you can use the shell script available at
If you like to live life on the edge you can directly use the command
curl -L get.docker.com|CHANNEL=test sh to fetch the script, execute it and install the aforementioned Docker version for you.
To manually download and install the pre-compiled binaries you can go to
download.docker.com/[linux/mac]/static/test/x86_64/ and download the archive named
After you have downloaded the archive you will have to unarchive it. You can use the famous Linux utility tool tar to do that for you.
Use the command
tar -xvf </path/to/archive/docker-19.03.0-beta3.tgz> to unarchive the downloaded file and then move the extracted files to a location in your
You can run the following commands in your terminal to do the same in Linux:
note: if you already have Docker installed on your system, then either rename the new binaries to something other than docker and dockerd or if you want to replace the previous version, overwrite the existing binaries using /usr/bin instead of /usr/local/bin in the mv command above.
# lsb_dist="$(. /etc/os-release && echo "$ID")" # dist_version="$(lsb_release -c 2>&1 | cut -d":" -f2|tr -d '[:space:]')" # echo "deb [arch=$(dpkg --print-architecture)] https://download.docker.com/linux/$lsb_dist $dist_version test" > /etc/apt/sources.list.d/docker.list # apt update # apt install docker-ce -y
# dnf config-manager --set-disabled docker-ce-* # dnf config-manager --set-enabled docker-ce-test # dnf makecache # dnf install -y docker-ce
# yum-config-manager --disable docker-ce-* # yum-config-manager --enable docker-ce-test # yum makecache # yum install -y docker-ce
Once you have installed the v19.03.0-beta3 there are few more helper utilities that we need to install before we can run the daemon in rootless mode.
Next, download the docker-rootless-extras-19.03.0-beta3.tgz files and unarchive them on your machine.
Also, make sure that you move the respective unarchive binaries to some where that is accesible through your shell’s
$ wget https://download.docker.com/linux/static/test/x86_64/docker-rootless-extras-19.03.0-beta3.tgz $ tar -xzvf docker-rootless-extras-19.03.0-beta3.tgz # mv docker-rootless-extras/* /usr/local/bin/
Now to run the Docker daemon in rootless mode all you have to do is to run the following command:
$ dockerd-rootless.sh --experimental
Once done, run the following command to point your Docker CLI to the newly running rootless Docker Daemon
$ export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock
That’s all. Congratulations, you are now running Docker Daemon in rootless mode 🥳🎉🎈
$ docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE
Now that we have confirmed that our CLI is properly connecting to the newly started Docker Daemon let us go ahead and confirm that it indeed is running in rootless mode. To test this, we will try to perform some administrative tasks and edit some system files that are usually owned by the root user.
/etcfolder to the container and add a new user from within the container.
$ docker run --interactive --tty -v /etc:/etc alpine /bin/sh / # whoami root / # adduser hacker adduser: /etc/.ro069368192/passwd: Permission denied
/etcfolder readable only by root user
/ # vi /etc/shadow
The above will simply open a blank file for you and will give
Permission denied error if you try to do a write operation on it.
The stated behaviour is expected as we are trying to modify a file on the host system that only a
true root user should to modify(and in some cases even read too).
And since the container has been started by the rootless Docker Daemon therefore the root user inside the container is a
false root user or a mapped user.
But within the container itself the mapped user will have all the expected privledges of that of a root user. We can confirm that by executing some commands that does not modifying anyfile in /etc, e.g:
/ # pwd / / # touch foo / # ls bin etc home media opt root sbin sys usr dev foo lib mnt proc run srv tmp var