Spread the love

 40,607 views

On a typical installation, the Docker daemon manages all the containers. The Docker daemon controls every aspect of the container lifecycle. Older versions of Docker required that the Daemon started by a user with root privileges. This required giving users full access to a machine in order to control and configure Docker. As a result, this exposed potential security risks. Rootless mode allows running the Docker daemon and containers as a non-root user to mitigate potential vulnerabilities in the daemon and the container runtime.

Rootless mode does not require root privileges even during the installation of the Docker daemon, as long as the prerequisites are met. Rootless mode was introduced in Docker Engine v19.03 as an experimental feature. Rootless mode graduated from experimental in Docker Engine v20.10.

How does it work?

Rootless mode executes the Docker daemon and containers inside a user namespace. This is very similar to userns-remap mode, except that with userns-remap mode, the daemon itself is running with root privileges, whereas in rootless mode, both the daemon and the container are running without root privileges.

Rootless mode does not use binaries with SETUID bits or file capabilities, except newuidmap and newgidmap, which are needed to allow multiple UIDs/GIDs to be used in the user namespace.

New to RedisInsight?

A full-featured pure desktop GUI client, RedisInsight is an intuitive and efficient GUI for Redis, allowing you to interact with your databases and manage your data—with built-in support for most popular Redis modules. It’s 100% free Redis GUI tool to analyse the memory, profile the performance of your database, and guide you toward better Redis usage. It is available for Windows, macOS, and Linux and is fully compatible with Redis Enterprise. It works with any cloud provider as long as you run it on a host with network access to your cloud-based Redis server. RedisInsight makes it easy to discover cloud databases and configure connection details with a single click. It allows you to automatically add Redis Enterprise Software and Redis Enterprise Cloud databases too.

Starting v1.6 release, RedisInsight docker container is now rootless being compliant with best practices for containers. Let us see how to run RedisInsight Docker container in a rootless mode.

Install Docker

$ sudo curl -sSL https://get.docker.com/ | sh

Ensure that you have newuidmap and newgidmap CLI installed on your host system. These commands are provided by the uidmap package on most distros.

Running Docker as a non-privileged user

To run Docker as a non-privileged user, consider setting up the Docker daemon in rootless mode for your user:

dockerd-rootless-setuptool.sh install

Visit https://docs.docker.com/go/rootless/ to learn about rootless mode. To run the Docker daemon as a fully privileged service, but granting non-root users access, refer to https://docs.docker.com/go/daemon-access/ WARNING: Access to the remote API on a privileged Docker daemon is equivalent to root access on the host. Refer to the ‘Docker daemon attack surface’ documentation for details: https://docs.docker.com/go/attack-surface/

$ sudo apt install uidmap

If you installed Docker 20.10 or later with RPM/DEB packages, you should have dockerd-rootless-setuptool.sh in /usr/bin. Run dockerd-rootless-setuptool.sh install as a non-root user to set up the daemon:

$ dockerd-rootless-setuptool.sh install
May 31 05:06:06 ubuntu-rootless dockerd-rootless.sh[4298]: time="2021-05-31T05:06:06.409523458Z" level=warning msg="Your kernel does not support cgroup blkio weight_device"
May 31 05:06:06 ubuntu-rootless dockerd-rootless.sh[4298]: time="2021-05-31T05:06:06.409747732Z" level=info msg="Loading containers: start."
May 31 05:06:06 ubuntu-rootless dockerd-rootless.sh[4298]: time="2021-05-31T05:06:06.491803304Z" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Da
emon option --bip can be used to set a preferred IP address"
May 31 05:06:06 ubuntu-rootless dockerd-rootless.sh[4298]: time="2021-05-31T05:06:06.545120353Z" level=info msg="Loading containers: done."
May 31 05:06:06 ubuntu-rootless dockerd-rootless.sh[4298]: time="2021-05-31T05:06:06.556912719Z" level=warning msg="Not using native diff for overlay2, this may cause degraded performanc
e for building images: running in a user namespace" storage-driver=overlay2
May 31 05:06:06 ubuntu-rootless dockerd-rootless.sh[4298]: time="2021-05-31T05:06:06.557189864Z" level=info msg="Docker daemon" commit=8728dd2 graphdriver(s)=overlay2 version=20.10.6
May 31 05:06:06 ubuntu-rootless dockerd-rootless.sh[4298]: time="2021-05-31T05:06:06.557347334Z" level=info msg="Daemon has completed initialization"
May 31 05:06:06 ubuntu-rootless dockerd-rootless.sh[4298]: time="2021-05-31T05:06:06.590839318Z" level=info msg="API listen on /run/user/1003/docker.sock"
+ DOCKER_HOST=unix:///run/user/1003/docker.sock /usr/bin/docker version
Client: Docker Engine - Community
 Version:           20.10.6
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        370c289
 Built:             Fri Apr  9 22:48:16 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true
Server: Docker Engine - Community
 Engine:
  Version:          20.10.6
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       8728dd2
  Built:            Fri Apr  9 22:46:27 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.6
  GitCommit:        d71fcd7d8303cbf684402823e425e9dd2e99285d
 runc:
  Version:          1.0.0-rc95
  GitCommit:        b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
+ systemctl --user enable docker.service
Created symlink /home/ajeet_raina/.config/systemd/user/default.target.wants/docker.service → /home/ajeet_raina/.config/systemd/user/docker.service.
[INFO] Installed docker.service successfully.
[INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service`
[INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger ajeet_raina`
[INFO] Creating CLI context "rootless"
Successfully created context "rootless"
[INFO] Make sure the following environment variables are set (or add them to ~/.bashrc):
export PATH=/usr/bin:$PATH
export DOCKER_HOST=unix:///run/user/1003/docker.sock

If dockerd-rootless-setuptool.sh is not present, you may need to install the docker-ce-rootless-extras package manually, e.g.,

Make sure the following environment variables are set (or add them to ~/.bashrc):

export PATH=/usr/bin:$PATH
export DOCKER_HOST=unix:///run/user/1003/docker.sock

The systemd unit file is installed as ~/.config/systemd/user/docker.service.

Use systemctl --user to manage the lifecycle of the daemon:

$ systemctl --user start docker
$ systemctl --user enable docker

To specify the CLI context using docker context:

docker context use rootless
rootless
Current context is now "rootless"
Warning: DOCKER_HOST environment variable overrides the active context. To use "rootless", either set the global --context flag, or unset DOCKER_HOST environment variable.

Running RedisInsight in a Docker container

ajeet_raina@ubuntu-rootless:~$ docker run -d -v redisinsight:/db -p 8001:8001 redislabs/redisinsight:latest
Unable to find image 'redislabs/redisinsight:latest' locally
latest: Pulling from redislabs/redisinsight
bd8f6a7501cc: Pull complete 
44718e6d535d: Pull complete 
efe9738af0cb: Pull complete 
f37aabde37b8: Pull complete 
3923d444ed05: Pull complete 
a389cd00f6ac: Pull complete 
635fef62bb79: Pull complete 
d620e4e17484: Pull complete 
e2ee94785e13: Pull complete 
48b3e278075c: Pull complete 
100ed91c31ae: Pull complete 
55c329231ae6: Pull complete 
96d8432c61ad: Pull complete 
1ed83d76beb2: Pull complete 
b9f7ffeff2f8: Pull complete 
Digest: sha256:fd4bff16761308521952e802e1ac1fcafb0d78088c508cf3762754aa954c7009
Status: Downloaded newer image for redislabs/redisinsight:latest
e3e60f1a06066af7d990464788d64b2e7e837dddd00fbc2a473aafd5ec51a0c4
ajeet_raina@ubuntu-rootless:~$ docker ps
CONTAINER ID   IMAGE                           COMMAND                  CREATED              STATUS              PORTS                                       NAMES
e3e60f1a0606   redislabs/redisinsight:latest   "bash ./docker-entry…"   About a minute ago   Up About a minute   0.0.0.0:8001->8001/tcp, :::8001->8001/tcp   musing_pike
ajeet_raina@ubuntu-rootless:~$ 

What’s Next?

References:

Clap


Spread the love
Categories: DockerRedis

Ajeet Raina

My name is Ajeet Singh Raina and I am an author of this blogging site. I am a Docker Captain, ARM Innovator & Docker Bangalore Community Leader. I bagged 2 special awards last year(2019): Firstly, “The Tip of Captain’s Hat Award” at Dockercon 2019, San Francisco, and secondly, “2019 Docker Community Award“. I run Collabnix Community Slack with over 5300+ audience . I have built popular GITHUB repositories like DockerLabs, KubeLabs, Kubetools, RedisPlanet Terraform etc. with the support of Collabnix Community. Currently working as Developer Relations Manager at Redis Labs where I help customers and community members adopt Redis. With over 12,000+ followers over LinkedIn & close to 5100+ twitter followers, I like sharing Docker and Kubernetes related content . You can follow me on Twitter(@ajeetsraina) & GitHub(@ajeetraina)

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Hey, Wait !

Stay Informed about what's happening around DevOps community and tools.