On a typical installation, the Docker daemon manages all the containers. The Docker daemon controls every aspect of the container lifecycle. Older versions of Docker required that the Daemon started by a user with root privileges. This required giving users full access to a machine in order to control and configure Docker. As a result, this exposed potential security risks. Rootless mode allows running the Docker daemon and containers as a non-root user to mitigate potential vulnerabilities in the daemon and the container runtime.
Rootless mode does not require root privileges even during the installation of the Docker daemon, as long as the prerequisites are met. Rootless mode was introduced in Docker Engine v19.03 as an experimental feature. Rootless mode graduated from experimental in Docker Engine v20.10.
How does it work?
Rootless mode executes the Docker daemon and containers inside a user namespace. This is very similar to userns-remap mode, except that with userns-remap mode, the daemon itself is running with root privileges, whereas in rootless mode, both the daemon and the container are running without root privileges.
Rootless mode does not use binaries with SETUID bits or file capabilities, except newuidmap and newgidmap, which are needed to allow multiple UIDs/GIDs to be used in the user namespace.
New to RedisInsight?
A full-featured pure desktop GUI client, RedisInsight is an intuitive and efficient GUI for Redis, allowing you to interact with your databases and manage your data—with built-in support for most popular Redis modules. It’s 100% free Redis GUI tool to analyse the memory, profile the performance of your database, and guide you toward better Redis usage. It is available for Windows, macOS, and Linux and is fully compatible with Redis Enterprise. It works with any cloud provider as long as you run it on a host with network access to your cloud-based Redis server. RedisInsight makes it easy to discover cloud databases and configure connection details with a single click. It allows you to automatically add Redis Enterprise Software and Redis Enterprise Cloud databases too.
Starting v1.6 release, RedisInsight docker container is now rootless being compliant with best practices for containers. Let us see how to run RedisInsight Docker container in a rootless mode.
Install Docker
$ sudo curl -sSL https://get.docker.com/ | shEnsure that you have newuidmap and newgidmap CLI installed on your host system. These commands are provided by the uidmap package on most distros.
Running Docker as a non-privileged user
To run Docker as a non-privileged user, consider setting up the Docker daemon in rootless mode for your user:
dockerd-rootless-setuptool.sh installVisit https://docs.docker.com/go/rootless/ to learn about rootless mode. To run the Docker daemon as a fully privileged service, but granting non-root users access, refer to https://docs.docker.com/go/daemon-access/ WARNING: Access to the remote API on a privileged Docker daemon is equivalent to root access on the host. Refer to the ‘Docker daemon attack surface’ documentation for details: https://docs.docker.com/go/attack-surface/
$ sudo apt install uidmapIf you installed Docker 20.10 or later with RPM/DEB packages, you should have dockerd-rootless-setuptool.sh in /usr/bin. Run dockerd-rootless-setuptool.sh install as a non-root user to set up the daemon:
$ dockerd-rootless-setuptool.sh installMay 31 05:06:06 ubuntu-rootless dockerd-rootless.sh[4298]: time="2021-05-31T05:06:06.409523458Z" level=warning msg="Your kernel does not support cgroup blkio weight_device"
May 31 05:06:06 ubuntu-rootless dockerd-rootless.sh[4298]: time="2021-05-31T05:06:06.409747732Z" level=info msg="Loading containers: start."
May 31 05:06:06 ubuntu-rootless dockerd-rootless.sh[4298]: time="2021-05-31T05:06:06.491803304Z" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Da
emon option --bip can be used to set a preferred IP address"
May 31 05:06:06 ubuntu-rootless dockerd-rootless.sh[4298]: time="2021-05-31T05:06:06.545120353Z" level=info msg="Loading containers: done."
May 31 05:06:06 ubuntu-rootless dockerd-rootless.sh[4298]: time="2021-05-31T05:06:06.556912719Z" level=warning msg="Not using native diff for overlay2, this may cause degraded performanc
e for building images: running in a user namespace" storage-driver=overlay2
May 31 05:06:06 ubuntu-rootless dockerd-rootless.sh[4298]: time="2021-05-31T05:06:06.557189864Z" level=info msg="Docker daemon" commit=8728dd2 graphdriver(s)=overlay2 version=20.10.6
May 31 05:06:06 ubuntu-rootless dockerd-rootless.sh[4298]: time="2021-05-31T05:06:06.557347334Z" level=info msg="Daemon has completed initialization"
May 31 05:06:06 ubuntu-rootless dockerd-rootless.sh[4298]: time="2021-05-31T05:06:06.590839318Z" level=info msg="API listen on /run/user/1003/docker.sock"
+ DOCKER_HOST=unix:///run/user/1003/docker.sock /usr/bin/docker version
Client: Docker Engine - Community
Version: 20.10.6
API version: 1.41
Go version: go1.13.15
Git commit: 370c289
Built: Fri Apr 9 22:48:16 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.6
API version: 1.41 (minimum version 1.12)
Go version: go1.13.15
Git commit: 8728dd2
Built: Fri Apr 9 22:46:27 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.4.6
GitCommit: d71fcd7d8303cbf684402823e425e9dd2e99285d
runc:
Version: 1.0.0-rc95
GitCommit: b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7
docker-init:
Version: 0.19.0
GitCommit: de40ad0
+ systemctl --user enable docker.service
Created symlink /home/ajeet_raina/.config/systemd/user/default.target.wants/docker.service → /home/ajeet_raina/.config/systemd/user/docker.service.
[INFO] Installed docker.service successfully.
[INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service`
[INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger ajeet_raina`
[INFO] Creating CLI context "rootless"
Successfully created context "rootless"
[INFO] Make sure the following environment variables are set (or add them to ~/.bashrc):
export PATH=/usr/bin:$PATH
export DOCKER_HOST=unix:///run/user/1003/docker.sockIf dockerd-rootless-setuptool.sh is not present, you may need to install the docker-ce-rootless-extras package manually, e.g.,
Make sure the following environment variables are set (or add them to ~/.bashrc):
export PATH=/usr/bin:$PATH
export DOCKER_HOST=unix:///run/user/1003/docker.sockThe systemd unit file is installed as ~/.config/systemd/user/docker.service.
Use systemctl --user to manage the lifecycle of the daemon:
$ systemctl --user start docker
$ systemctl --user enable docker
To specify the CLI context using docker context:
docker context use rootless
rootless
Current context is now "rootless"
Warning: DOCKER_HOST environment variable overrides the active context. To use "rootless", either set the global --context flag, or unset DOCKER_HOST environment variable.Running RedisInsight in a Docker container
ajeet_raina@ubuntu-rootless:~$ docker run -d -v redisinsight:/db -p 8001:8001 redislabs/redisinsight:latest
Unable to find image 'redislabs/redisinsight:latest' locally
latest: Pulling from redislabs/redisinsight
bd8f6a7501cc: Pull complete
44718e6d535d: Pull complete
efe9738af0cb: Pull complete
f37aabde37b8: Pull complete
3923d444ed05: Pull complete
a389cd00f6ac: Pull complete
635fef62bb79: Pull complete
d620e4e17484: Pull complete
e2ee94785e13: Pull complete
48b3e278075c: Pull complete
100ed91c31ae: Pull complete
55c329231ae6: Pull complete
96d8432c61ad: Pull complete
1ed83d76beb2: Pull complete
b9f7ffeff2f8: Pull complete
Digest: sha256:fd4bff16761308521952e802e1ac1fcafb0d78088c508cf3762754aa954c7009
Status: Downloaded newer image for redislabs/redisinsight:latest
e3e60f1a06066af7d990464788d64b2e7e837dddd00fbc2a473aafd5ec51a0c4
ajeet_raina@ubuntu-rootless:~$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e3e60f1a0606 redislabs/redisinsight:latest "bash ./docker-entry…" About a minute ago Up About a minute 0.0.0.0:8001->8001/tcp, :::8001->8001/tcp musing_pike
ajeet_raina@ubuntu-rootless:~$ What’s Next?
- Getting Started with RedisInsight
- Visualize Redis database keys using RedisInsight Browser Tool
- Debugging Redis using RedisInsight Slowlog Tool
- Reduce Redis Memory usage using RedisInsight Memory Analyzer Tool
- Manage Your Redis Cluster using RedisInsight Cluster Management Tool
- Using Redis Streams with RedisInsight
Comments are closed.