Setting up Rootless Docker on Debian
Introduction
Docker has become one of the most popular tool in the recent years. This is because it allows developer to deploy their application to any machine with the same setup. Think of it like running a Java program on any machine with JVM installed. Due to the popularity, it is also important for us to secure the docker containers. One of the features that was released by the Docker team was the rootless mode which disables the root access from docker container.
In this tutorial, I will be going through how to setup docker rootless mode in the proper way on Debian.
Let's create a docker user before we start
sudo useradd -m -s /bin/bash docker
sudo passwd docker
sudo usermod -aG sudo docker
and lets login as newly created user docker.
Install Rootless Docker
Set up repository
sudo apt-get update && \
sudo apt-get install -y ca-certificates curl gnupg lsb-release uidmap iptables dbus-user-session fuse-overlayfs && \
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg && \
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
Relogin after running the above command.
Install Docker Engine
sudo apt update && \
sudo apt-get install -y docker-ce docker-ce-cli containerd.io
Since we are running rootless docker, we will proceed to disable the rootful docker
sudo systemctl disable --now docker.service docker.socket
Reboot the system after disabling
Install the setup script
sudo apt-get update
sudo apt-get install -y docker-ce-rootless-extras
Install Rootless Docker
run the following as non-root to install rootless docker.
dockerd-rootless-setuptool.sh install
next enable rootless docker to launch on startup.
systemctl --user enable docker
sudo loginctl enable-linger $(whoami)
Congratulations, you have now successfully setup rootless docker. I will share with you on how to expose docker API so that it can be managed by tools like portainer or used by jenkins.
If you are doing this on ubuntu, you will need to enable cgroup v2 to avoid permission issues in some containers. please refer to https://rootlesscontaine.rs/getting-started/common/cgroup2/
Relevant links:
https://docs.docker.com/engine/security/rootless/