Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Allow running dockerd as a non-root user (Rootless mode) #38050
- What I did
No SETUID/SETCAP binary is required, except
For Kubernetes integration, please refer to https://github.com/rootless-containers/usernetes .
- How I did it
Please refer to
- How to verify it
$ id -u 1001 $ whoami penguin $ grep ^$(whoami): /etc/subuid penguin:231072:65536 $ grep ^$(whoami): /etc/subgid penguin:231072:65536
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)
penguin0@suda-ws01:~$ id uid=1002(penguin0) gid=1006(penguin0) groups=1006(penguin0) penguin0@suda-ws01:~$ ps u USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND penguin0 122952 0.0 0.0 21484 5156 pts/3 Ss 16:58 0:00 /bin/bash -l penguin0 123093 0.0 0.0 21484 5200 pts/4 Ss 16:58 0:00 /bin/bash -l penguin0 123094 0.0 0.0 134792 2860 pts/4 S 16:58 0:00 (sd-pam) penguin0 123252 0.0 0.0 4628 784 pts/4 S+ 16:58 0:00 /bin/sh /usr/local/bin/dockerd-rootless.sh --experimental penguin0 123253 0.0 0.0 105772 3696 pts/4 Sl+ 16:58 0:00 rootlesskit --net=slirp4netns --mtu=65520 --copy-up=/etc --copy-up=/run /usr/local/bin/dockerd-rootless.sh --experimental penguin0 123257 0.0 0.0 105516 4024 pts/4 Sl+ 16:58 0:00 /proc/self/exe --net=slirp4netns --mtu=65520 --copy-up=/etc --copy-up=/run /usr/local/bin/dockerd-rootless.sh --experimental penguin0 123265 0.0 0.0 2980 1072 pts/4 S+ 16:58 0:00 slirp4netns --mtu 65520 123257 tap0 penguin0 123281 0.0 0.0 4628 828 pts/4 S+ 16:58 0:00 /bin/sh /usr/local/bin/dockerd-rootless.sh --experimental penguin0 123283 0.6 0.8 583536 65728 pts/4 Sl+ 16:58 0:00 dockerd --experimental penguin0 125126 0.0 0.0 38372 3688 pts/3 R+ 17:00 0:00 ps u penguin0@suda-ws01:~$ docker -H unix:///run/user/1002/docker.sock run --rm hello-world Hello from Docker! This message shows that your installation appears to be working correctly. To generate this message, Docker took the following steps: 1. The Docker client contacted the Docker daemon. 2. The Docker daemon pulled the "hello-world" image from the Docker Hub. (amd64) 3. The Docker daemon created a new container from that image which runs the executable that produces the output you are currently reading. 4. The Docker daemon streamed that output to the Docker client, which sent it to your terminal. To try something more ambitious, you can run an Ubuntu container with: $ docker run -it ubuntu bash Share images, automate workflows, and more with a free Docker ID: https://hub.docker.com/ For more examples and ideas, visit: https://docs.docker.com/get-started/
2 times, most recently
Oct 16, 2018
This was referenced
Oct 16, 2018
@@ Coverage Diff @@ ## master #38050 +/- ## ========================================= Coverage ? 36.59% ========================================= Files ? 608 Lines ? 45304 Branches ? 0 ========================================= Hits ? 16578 Misses ? 26435 Partials ? 2291
Cgroups delegation is disabled on this PR and it is likely to be a separate PR in future.
Until we can get full cgroups v2 support in runc (blocked due to lack of freezer and device subsystems, see opencontainers/runc#654), we would need to use
Rootless mode could be tested with
We would need to make sure cgroup tests are skipped on rootless mode in follow-up PRs.
I think slirp4netns should be packaged separately, mixing licensing in one package is not a good idea, and source must be available, so downloading from the network is not acceptable. It would be a good idea to get distros to package it if we are going to use it.
From the readme (https://github.com/rootless-containers/slirp4netns) looks like it's already packages on some distros;
Is it better to use VPNKit instead by default?
There is no plan atm to start including slirp4netns in regular packages.
With the current implementation that provides scripts that should be run as unprivileged user (instead of dropping to rootless from root) this doesn't solve the main use cases. The idea discussed offline was only to provide an extra tarball in https://download.docker.com/linux/static/nightly/x86_64/ (eg. docker-contrib-0.0.0-xxx-xxx.tgz ) with the extra binaries/gpl-stub that rootless depends on. This makes it possible to have an install script that can be run without ever needing sudo (in some systems at least). If you can install packages you can just install regular docker.
If we can't figure this out then I think thats the best option. The launcher script can still have slirp4netns as a default if it can be found on the system. Or rootless install script can pull it from https://github.com/rootless-containers/slirp4netns/releases .
When I tested it, the throughput was much lower than in your stats. I can test again with new MTU config. I think the numbers you provided are acceptable.
@djs55 Do you know where we could get that without slowing down the moby build.
I set up a hub autobuilder for moby/vpnkit as an experiment: https://cloud.docker.com/repository/docker/djs55/vpnkit . The image contains a statically linked binary:
We've not tagged a release of
Uh, there is no