Join GitHub today
Running docker entirely as non-root (CONFIG_USER_NS) #1034
This isn't possible. The docker daemon needs to do a lot of things which really require root rights. Extracting layers which contain root owned files, setting up and deleting netfilter rules, mounting and unmounting layers via AUFS and other such things require root rights.
The docker client doesn't need any root permissions.
@creack I think you can close this issue.
@unclejack, I agree vis-a-vis netfilter rules, but my understanding is that with
referenced this issue
Aug 26, 2013
These are actually 2 different requests here:
Request 1 is to allow running the docker daemon as non-root on the host system.
Request 2 is to allow running individual docker applications as non-root, but make them each think they have root privileges, thanks to the CONFIG_USER_NS.
I suggest opening 2 different issues (or finding an existing issue for each).
This was referenced
Nov 27, 2013
referenced this issue
Mar 5, 2014
@unclejack Many thanks for your clarification: "The docker client doesn't need any root permissions."
Sorry, a newbie asking here: by "docker client" do you mean the ones listed here?
I have already setup my Dockerfile and pushed the resulting image to the Index, so it is now possible to run our code by doing:
docker pull myuser/myrepo
However, we can not ask anyone out there to have a root permissions in their ends to run our code. That is why I would like to know how to use the "docker client". Could you please help?
Many thanks in advance for your time!
@bdharrington7 sorry for the slow reply!
The daemon still requires to run as root. I don't know how hard it would be to lift that requirement, however you can run it as non-root (did I just contradict myself?!?) ... by running it through Docker-in-Docker, when the top-level Docker (the one running straight on the host) has user namespaces enabled. This will squash the UID of the inner Docker to a non-privileged UID, while still allowing the required network and filesystem operations to happen. It is contrived and probably not optimal for your usecase, but perhaps it can be a good starting point.