On a typical installation, the Docker daemon manages all the containers. The Docker daemon controls every aspect of the container lifecycle. Older versions of Docker required that the Daemon started by a user with root privileges. This required giving users full access to a machine in order to control and configure Docker. As a result, this exposed potential security risks. Rootless mode allows running the Docker daemon and containers as a non-root user to mitigate potential vulnerabilities in the daemon and the container runtime.
Rootless mode does not require root privileges even during the installation of the Docker daemon, as long as the prerequisites are met. Rootless mode was introduced in Docker Engine v19.03 as an experimental feature. Rootless mode graduated from experimental in Docker Engine v20.10.
How does it work?
Rootless mode executes the Docker daemon and containers inside a user namespace. This is very similar to
userns-remap mode, except that with
userns-remap mode, the daemon itself is running with root privileges, whereas in rootless mode, both the daemon and the container are running without root privileges.
Rootless mode does not use binaries with
SETUID bits or file capabilities, except
newgidmap, which are needed to allow multiple UIDs/GIDs to be used in the user namespace.
New to RedisInsight?
A full-featured pure desktop GUI client, RedisInsight is an intuitive and efficient GUI for Redis, allowing you to interact with your databases and manage your data—with built-in support for most popular Redis modules. It’s 100% free Redis GUI tool to analyse the memory, profile the performance of your database, and guide you toward better Redis usage. It is available for Windows, macOS, and Linux and is fully compatible with Redis Enterprise. It works with any cloud provider as long as you run it on a host with network access to your cloud-based Redis server. RedisInsight makes it easy to discover cloud databases and configure connection details with a single click. It allows you to automatically add Redis Enterprise Software and Redis Enterprise Cloud databases too.
Starting v1.6 release, RedisInsight docker container is now rootless being compliant with best practices for containers. Let us see how to run RedisInsight Docker container in a rootless mode.
$ sudo curl -sSL https://get.docker.com/ | sh
Ensure that you have newuidmap and newgidmap CLI installed on your host system. These commands are provided by the
uidmap package on most distros.
Running Docker as a non-privileged user
To run Docker as a non-privileged user, consider setting up the Docker daemon in rootless mode for your user:
Visit https://docs.docker.com/go/rootless/ to learn about rootless mode. To run the Docker daemon as a fully privileged service, but granting non-root users access, refer to https://docs.docker.com/go/daemon-access/ WARNING: Access to the remote API on a privileged Docker daemon is equivalent to root access on the host. Refer to the ‘Docker daemon attack surface’ documentation for details: https://docs.docker.com/go/attack-surface/
$ sudo apt install uidmap
If you installed Docker 20.10 or later with RPM/DEB packages, you should have
dockerd-rootless-setuptool.sh install as a non-root user to set up the daemon:
$ dockerd-rootless-setuptool.sh install
May 31 05:06:06 ubuntu-rootless dockerd-rootless.sh: time="2021-05-31T05:06:06.409523458Z" level=warning msg="Your kernel does not support cgroup blkio weight_device" May 31 05:06:06 ubuntu-rootless dockerd-rootless.sh: time="2021-05-31T05:06:06.409747732Z" level=info msg="Loading containers: start." May 31 05:06:06 ubuntu-rootless dockerd-rootless.sh: time="2021-05-31T05:06:06.491803304Z" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Da emon option --bip can be used to set a preferred IP address" May 31 05:06:06 ubuntu-rootless dockerd-rootless.sh: time="2021-05-31T05:06:06.545120353Z" level=info msg="Loading containers: done." May 31 05:06:06 ubuntu-rootless dockerd-rootless.sh: time="2021-05-31T05:06:06.556912719Z" level=warning msg="Not using native diff for overlay2, this may cause degraded performanc e for building images: running in a user namespace" storage-driver=overlay2 May 31 05:06:06 ubuntu-rootless dockerd-rootless.sh: time="2021-05-31T05:06:06.557189864Z" level=info msg="Docker daemon" commit=8728dd2 graphdriver(s)=overlay2 version=20.10.6 May 31 05:06:06 ubuntu-rootless dockerd-rootless.sh: time="2021-05-31T05:06:06.557347334Z" level=info msg="Daemon has completed initialization" May 31 05:06:06 ubuntu-rootless dockerd-rootless.sh: time="2021-05-31T05:06:06.590839318Z" level=info msg="API listen on /run/user/1003/docker.sock" + DOCKER_HOST=unix:///run/user/1003/docker.sock /usr/bin/docker version Client: Docker Engine - Community Version: 20.10.6 API version: 1.41 Go version: go1.13.15 Git commit: 370c289 Built: Fri Apr 9 22:48:16 2021 OS/Arch: linux/amd64 Context: default Experimental: true Server: Docker Engine - Community Engine: Version: 20.10.6 API version: 1.41 (minimum version 1.12) Go version: go1.13.15 Git commit: 8728dd2 Built: Fri Apr 9 22:46:27 2021 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.4.6 GitCommit: d71fcd7d8303cbf684402823e425e9dd2e99285d runc: Version: 1.0.0-rc95 GitCommit: b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7 docker-init: Version: 0.19.0 GitCommit: de40ad0 + systemctl --user enable docker.service Created symlink /home/ajeet_raina/.config/systemd/user/default.target.wants/docker.service → /home/ajeet_raina/.config/systemd/user/docker.service. [INFO] Installed docker.service successfully. [INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service` [INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger ajeet_raina` [INFO] Creating CLI context "rootless" Successfully created context "rootless" [INFO] Make sure the following environment variables are set (or add them to ~/.bashrc): export PATH=/usr/bin:$PATH export DOCKER_HOST=unix:///run/user/1003/docker.sock
If dockerd-rootless-setuptool.sh is not present, you may need to install the docker-ce-rootless-extras package manually, e.g.,
Make sure the following environment variables are set (or add them to ~/.bashrc):
export PATH=/usr/bin:$PATH export DOCKER_HOST=unix:///run/user/1003/docker.sock
The systemd unit file is installed as
systemctl --user to manage the lifecycle of the daemon:
$ systemctl --user start docker $ systemctl --user enable docker
To specify the CLI context using docker context:
docker context use rootless rootless Current context is now "rootless" Warning: DOCKER_HOST environment variable overrides the active context. To use "rootless", either set the global --context flag, or unset DOCKER_HOST environment variable.
Running RedisInsight in a Docker container
ajeet_raina@ubuntu-rootless:~$ docker run -d -v redisinsight:/db -p 8001:8001 redislabs/redisinsight:latest Unable to find image 'redislabs/redisinsight:latest' locally latest: Pulling from redislabs/redisinsight bd8f6a7501cc: Pull complete 44718e6d535d: Pull complete efe9738af0cb: Pull complete f37aabde37b8: Pull complete 3923d444ed05: Pull complete a389cd00f6ac: Pull complete 635fef62bb79: Pull complete d620e4e17484: Pull complete e2ee94785e13: Pull complete 48b3e278075c: Pull complete 100ed91c31ae: Pull complete 55c329231ae6: Pull complete 96d8432c61ad: Pull complete 1ed83d76beb2: Pull complete b9f7ffeff2f8: Pull complete Digest: sha256:fd4bff16761308521952e802e1ac1fcafb0d78088c508cf3762754aa954c7009 Status: Downloaded newer image for redislabs/redisinsight:latest e3e60f1a06066af7d990464788d64b2e7e837dddd00fbc2a473aafd5ec51a0c4 ajeet_raina@ubuntu-rootless:~$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e3e60f1a0606 redislabs/redisinsight:latest "bash ./docker-entry…" About a minute ago Up About a minute 0.0.0.0:8001->8001/tcp, :::8001->8001/tcp musing_pike ajeet_raina@ubuntu-rootless:~$
- Getting Started with RedisInsight
- Visualize Redis database keys using RedisInsight Browser Tool
- Debugging Redis using RedisInsight Slowlog Tool
- Reduce Redis Memory usage using RedisInsight Memory Analyzer Tool
- Manage Your Redis Cluster using RedisInsight Cluster Management Tool
- Using Redis Streams with RedisInsight