Menu
Article docker rootless

Step-by-Step Docker Rootless Setup for Enhanced Container Security

Mohammad Yassine

Mohammad Yassine

• 4 min read
Step-by-Step Docker Rootless Setup for Enhanced Container Security

Secure Docker Rootless Installation Guide | Comprehensive Steps

Docker Rootless is a feature that allows users to run Docker as a non-root user, providing a more secure way to use Docker on Linux systems. By default, Docker requires root privileges to run, which means that any process running inside the Docker container also has root privileges. This can be a security risk if the container is compromised or if there are vulnerabilities in the container software. With rootless installation, Docker operates in rootless mode, offering real isolation and reducing the chances of security problems.

💡
You can find the automated Docker rootless installation script at the end of the article

Limitation of docker rootless

Docker rootless mode does not support all Docker features and capabilities that are available in the normal Docker root mode. Certain advanced features, such as managing network interfaces, mounting host volumes, and accessing certain system resources, may be restricted or not available in rootless mode. This means that some functionalities requiring full permissions are not accessible, and the rootless mode focuses more on isolation and reducing security risks. The Docker daemon and containers in rootless mode also have limitations regarding network and external IP configurations.

Prerequisites

To set up Docker in rootless mode, you need to meet several prerequisites. The rootless script will ask you to install the missing packages if any. This setup was tested on Ubuntu 22.04 TLS. In my case, the uidmap and the iptables packages were required. Understanding these prerequisites ensures a smooth installation and operation of Docker in rootless mode.

Installation docker rootless step by step

Installing Docker in rootless mode is very simple. We can curl the Docker rootless installation script and pipe it to the shell directly so the installation starts. This can be done with a single command. The installation process ensures that Docker operates without root access, mitigating potential security problems:

curl -fsSL https://get.docker.com/rootless | sh

This will install the docker binary in the $HOME/bin/ directory. By default , we will not be able to execute docker without using the full path as this directory is not in the PATH which is is an environment variable on Unix-like operating systems that specifies the directories in which the shell looks for executable programs.

To get rid of this issue , we can export the path during the shell login by appending a simple line to the ~/.bashrc which is a shell script that is executed by the Bash shell every time a new interactive shell session is started for a user.

You can edit the file with any text editor like vi, nano e.g nano ~/.bashrc and add the following line 

export PATH=$HOME/bin:$PATH

We have to append the docker rootless socket location to the same file so the executable can locate it correctly

export XDG_RUNTIME_DIR=$HOME/.docker/run
export PATH=$HOME/.local/bin:$PATH
export DOCKER_HOST=unix:////run/user/`id -u`/docker.sock

Now save the file, logout from the shell then login again and you should be able to execute the docker correctly without using the full path.You can verify by executing 

docker version

It's also a good idea to check if the docker service is running using

systemctl --user status docker

if everything was installed correctly , the status of the service should be active

For reference, you can check the official docker rootless setup article.

Run the Docker daemon as a non-root user (Rootless mode)
Run the Docker daemon as a non-root user (Rootless mode)
Docker Documentation

Putting everything together

All steps can be automated using a single bash script.

Create a file called e.g docker-rootless-install.sh and add the following:

#!/bin/bash

#INSTALLING DOCKER ROOTLESS
if ! curl -fsSL https://get.docker.com/rootless | sh;then
        echo "[-] Docker rootless installation failed"
        exit 1
fi

#SETUP THE VARIABLES IN .BASHRC
USER_BASH_RC="$HOME/.bashrc"
if ! grep 'export PATH=$HOME/bin:$PATH' $USER_BASH_RC;then
        echo 'export PATH=$HOME/bin:$PATH' | tee -a $USER_BASH_RC
fi
if ! grep 'export XDG_RUNTIME_DIR=$HOME/.docker/run' $USER_BASH_RC;then
        echo 'export XDG_RUNTIME_DIR=$HOME/.docker/run' | tee -a $USER_BASH_RC
fi

if ! grep 'export DOCKER_HOST=unix:////run/user/`id -u`/docker.sock' $USER_BASH_RC;then
        echo 'export DOCKER_HOST=unix:////run/user/`id -u`/docker.sock' | tee -a $USER_BASH_RC
fi

if systemctl --user is-active docker > /dev/null;then
	echo "Docker service is running"
else
	echo "Docker service is not running"
fi

Finally assign the execution permission and execute the script

chmod +x docker-rootless-install.sh && ./docker-rootless-install.sh

Docker rootless opens up new possibilities for users who want to harness the power of containerization without the need for administrative privileges. By following the necessary prerequisites and successfully installing Docker in rootless mode, you can now leverage the benefits of containerization in a secure and controlled manner.

buy me a coffe
Share