Setting up Rootless Docker on Debian

Published by moxlotus on

Introduction

Docker has become one of the most popular tool in the recent years. This is because it allows developer to deploy their application to any machine with the same setup. Think of it like running a Java program on any machine with JVM installed. Due to the popularity, it is also important for us to secure the docker containers. One of the features that was released by the Docker team was the rootless mode which disables the root access from docker container.

In this tutorial, I will be going through how to setup docker rootless mode in the proper way on Debian.

Let's create a docker user before we start

sudo useradd -m -s /bin/bash docker
sudo passwd docker
sudo usermod -aG sudo docker

and lets login as newly created user docker.

Install Rootless Docker

Set up repository

sudo apt-get update && \
sudo apt-get install -y ca-certificates curl gnupg lsb-release uidmap iptables dbus-user-session fuse-overlayfs && \
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o  /usr/share/keyrings/docker-archive-keyring.gpg && \
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Relogin after running the above command.

Install Docker Engine

sudo apt update && \
sudo apt-get install -y docker-ce docker-ce-cli containerd.io

Since we are running rootless docker, we will proceed to disable the rootful docker

sudo systemctl disable --now docker.service docker.socket

Reboot the system after disabling

Install the setup script

sudo apt-get update
sudo apt-get install -y docker-ce-rootless-extras 

Install Rootless Docker

run the following as non-root to install rootless docker.

dockerd-rootless-setuptool.sh install

next enable rootless docker to launch on startup.

systemctl --user enable docker
sudo loginctl enable-linger $(whoami)

Congratulations, you have now successfully setup rootless docker. I will share with you on how to expose docker API so that it can be managed by tools like portainer or used by jenkins.

If you are doing this on ubuntu, you will need to enable cgroup v2 to avoid permission issues in some containers. please refer to https://rootlesscontaine.rs/getting-started/common/cgroup2/

Relevant links:
https://docs.docker.com/engine/security/rootless/

Share it with others
Categories: DockerLinux