The rootless mode allows running dockerd
as an unprivileged user, using user_namespaces(7)
, mount_namespaces(7)
, network_namespaces(7)
.
No SETUID/SETCAP binary is required except newuidmap
and newgidmap
.
newuidmap
and newgidmap
need to be installed on the host. These commands are provided by the uidmap
package on most distros.
/etc/subuid
and /etc/subgid
should contain >= 65536 sub-IDs. e.g. penguin:231072:65536
.
$ id -u 1001 $ whoami penguin $ grep ^$(whoami): /etc/subuid penguin:231072:65536 $ grep ^$(whoami): /etc/subgid penguin:231072:65536
sudo sh -c "echo 1 > /proc/sys/kernel/unprivileged_userns_clone"
is requiredsudo sh -c "echo 1 > /proc/sys/kernel/unprivileged_userns_clone"
is requiredsudo modprobe ip_tables iptable_mangle iptable_nat iptable_filter
is required. (This is likely to be required on other distros as well)sudo sh -c "echo 28633 > /proc/sys/user/max_user_namespaces"
is requiredvbatts/shadow-utils-newxidmap
needs to be installedvfs
graphdriver is supported. However, on Ubuntu and a few distros, overlay2
and overlay
are also supported.docker top
, which depends on the cgroups device controller)You need to run dockerd-rootless.sh
instead of dockerd
.
$ dockerd-rootless.sh --experimental --userland-proxy --userland-proxy-path=$(which rootlesskit-docker-proxy)"
As Rootless mode is experimental per se, currently you always need to run dockerd-rootless.sh
with --experimental
. Also, to expose ports, you need to set --userland-proxy-path
to the path of rootlesskit-docker-proxy
binary.
Remarks:
$XDG_RUNTIME_DIR/docker.sock
by default. $XDG_RUNTIME_DIR
is typically set to /run/user/$UID
.~/.local/share/docker
by default.$XDG_RUNTIME_DIR/docker
by default.~/.config/docker
(not ~/.docker
, which is used by the client) by default.dockerd-rootless.sh
script executes dockerd
in its own user, mount, and network namespaces. You can enter the namespaces by running nsenter -U --preserve-credentials -n -m -t $(cat $XDG_RUNTIME_DIR/docker.pid)
.You can just use the upstream Docker client but you need to set the socket path explicitly.
$ docker -H unix://$XDG_RUNTIME_DIR/docker.sock run -d nginx
To route ping packets, you need to set up net.ipv4.ping_group_range
properly as the root.
$ sudo sh -c "echo 0 2147483647 > /proc/sys/net/ipv4/ping_group_range"