Install and Run Rootless Docker Daemon

April 23, 2019    docker rootless introduction

The support for running Docker daemon(dockerd) as a normal user i.e in rootless mode was added recently in v19.03.0-beta3. We will be exploring the following topics around it:

Later as a continuation to this post we will also discuss things such as what it means for the container eco system, how it all works internally and how exactly it has been implemented.


Install Docker v19.03.0-beta3

We can install the latest Docker beta verion in following ways:

Automatically via the official install script

To install the beta version 19.03.0-beta3 of Docker on linux you can use the shell script available at get.docker.com. If you like to live life on the edge you can directly use the command curl -L get.docker.com|CHANNEL=test sh to fetch the script, execute it and install the aforementioned Docker version for you.

Download and install the pre-compiled binaries

To manually download and install the pre-compiled binaries you can go to download.docker.com/[linux/mac]/static/test/x86_64/ and download the archive named docker-19.03.0-beta3.tgz. After you have downloaded the archive you will have to unarchive it. You can use the famous Linux utility tool tar to do that for you. Use the command tar -xvf </path/to/archive/docker-19.03.0-beta3.tgz> to unarchive the downloaded file and then move the extracted files to a location in your $PATH e.g /usr/local/bin. You can run the following commands in your terminal to do the same in Linux:

$ cd /tmp; wget download.docker.com/linux/static/test/x86_64/docker-19.03.0-beta3.tgz</span>
$ tar -xvf docker-19.03.0-beta3.tgz
$ mv docker/* /usr/local/bin/

note: if you already have Docker installed on your system, then either rename the new binaries to something other than docker and dockerd or if you want to replace the previous version, overwrite the existing binaries using /usr/bin instead of /usr/local/bin in the mv command above.

Upgrade an existing installation

Debian family:

# lsb_dist="$(. /etc/os-release && echo "$ID")"
# dist_version="$(lsb_release -c 2>&1 | cut -d":" -f2|tr -d '[:space:]')"
# echo "deb [arch=$(dpkg --print-architecture)] https://download.docker.com/linux/$lsb_dist $dist_version test" > /etc/apt/sources.list.d/docker.list
# apt update
# apt install docker-ce -y

Fedora:

# dnf config-manager --set-disabled docker-ce-*
# dnf config-manager --set-enabled docker-ce-test
# dnf makecache
# dnf install -y docker-ce

CentOS:

# yum-config-manager --disable docker-ce-*
# yum-config-manager --enable docker-ce-test
# yum makecache
# yum install -y docker-ce

Once you have installed the v19.03.0-beta3 there are few more helper utilities that we need to install before we can run the daemon in rootless mode. Next, download the docker-rootless-extras-19.03.0-beta3.tgz files and unarchive them on your machine. Also, make sure that you move the respective unarchive binaries to some where that is accesible through your shell’s PATH variable.

$ wget https://download.docker.com/linux/static/test/x86_64/docker-rootless-extras-19.03.0-beta3.tgz
$ tar -xzvf docker-rootless-extras-19.03.0-beta3.tgz
# mv docker-rootless-extras/* /usr/local/bin/

Run the daemon in rootless mode

Now to run the Docker daemon in rootless mode all you have to do is to run the following command:

$ dockerd-rootless.sh --experimental

Once done, run the following command to point your Docker CLI to the newly running rootless Docker Daemon

$ export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock

That’s all. Congratulations, you are now running Docker Daemon in rootless mode 🥳🎉🎈


Explore as well as test the feature

Now that we have Docker Daemon running in rootless mode, and we have the properly pointed our Docker CLI to it we can go ahead and ensure that it is working as intended. To start with our tests, we can first verify that the above by running doccker image ls. At this point your CLI should not list any image present on your system, e.g:

$ docker image ls
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE

Now that we have confirmed that our CLI is properly connecting to the newly started Docker Daemon let us go ahead and confirm that it indeed is running in rootless mode. To test this, we will try to perform some administrative tasks and edit some system files that are usually owned by the root user.

  • Let’s try to mount the /etc folder to the container and add a new user from within the container.
$ docker run --interactive --tty -v /etc:/etc alpine /bin/sh
/ # whoami
root
/ # adduser hacker
adduser: /etc/.ro069368192/passwd: Permission denied
  • Lets try to open a file in the mounted /etc folder readable only by root user
/ # vi /etc/shadow

The above will simply open a blank file for you and will give Permission denied error if you try to do a write operation on it.

The stated behaviour is expected as we are trying to modify a file on the host system that only a true root user should to modify(and in some cases even read too). And since the container has been started by the rootless Docker Daemon therefore the root user inside the container is a false root user or a mapped user. But within the container itself the mapped user will have all the expected privledges of that of a root user. We can confirm that by executing some commands that does not modifying anyfile in /etc, e.g:

/ # pwd
/
/ # touch foo
/ # ls
bin    etc    home   media  opt    root   sbin   sys    usr
dev    foo    lib    mnt    proc   run    srv    tmp    var



comments powered by Disqus