-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Running docker entirely as non-root (CONFIG_USER_NS) #1034
Comments
This isn't possible. The docker daemon needs to do a lot of things which really require root rights. Extracting layers which contain root owned files, setting up and deleting netfilter rules, mounting and unmounting layers via AUFS and other such things require root rights. The docker client doesn't need any root permissions. @creack I think you can close this issue. |
@unclejack, I agree vis-a-vis netfilter rules, but my understanding is that with |
@pwaller: ultimately, it should be possible to run the docker daemon without root rights, and invoke appropriate tools with sudo. But for now, |
These are actually 2 different requests here: Request 1 is to allow running the docker daemon as non-root on the host system. Request 2 is to allow running individual docker applications as non-root, but make them each think they have root privileges, thanks to the CONFIG_USER_NS. I suggest opening 2 different issues (or finding an existing issue for each). |
I had a cursory look, couldn't find anything, so created two issues (I'd rather the ideas didn't get totally lost). Apologies in advance for the additional mess if they are dupes. |
@unclejack Many thanks for your clarification: "The docker client doesn't need any root permissions." Sorry, a newbie asking here: by "docker client" do you mean the ones listed here? I have already setup my Dockerfile and pushed the resulting image to the Index, so it is now possible to run our code by doing: docker pull myuser/myrepo However, we can not ask anyone out there to have a root permissions in their ends to run our code. That is why I would like to know how to use the "docker client". Could you please help? Many thanks in advance for your time! |
Shouldn't this have label project/security added? (I would do myself but I think only project admins can add labels.) |
@bdharrington7 sorry for the slow reply! The daemon still requires to run as root. I don't know how hard it would be to lift that requirement, however you can run it as non-root (did I just contradict myself?!?) ... by running it through Docker-in-Docker, when the top-level Docker (the one running straight on the host) has user namespaces enabled. This will squash the UID of the inner Docker to a non-privileged UID, while still allowing the required network and filesystem operations to happen. It is contrived and probably not optimal for your usecase, but perhaps it can be a good starting point. |
Feature request.
As mentioned in #132, I raised the idea of running docker as non-root using the kernel CONFIG_USER_NS feature.
Any chance of this being possible eventually?
The text was updated successfully, but these errors were encountered: