7

According to Docker official website: https://docs.docker.com/engine/security/rootless/ it's possible to run Docker Daemon rootless-ly (without root access, no --privileged flag).

However I'm convinced this would not work when running from inside a Docker container. There is no way of getting modprobe inside a Docker container without root access (--privileged). So it's not possible to install the Docker rootless script.

Supposedly there is an official image in Docker hub: docker:dind-rootless image here So I pulled the image and SSH'd into the container, however I'm getting the following error when running dockerd

INFO[2020-07-17T20:50:32.355617100Z] Starting up dockerd needs to be started with root. To see how to run dockerd in rootless mode with unprivileged user, see the documentation

Any suggestions on how to run Docker daemon rootlessly inside another Docker container? I know this is possible with root, but is there a way to do without? I can't get root access as I'm deploying to AWS fargate, which doesn't support privileged access at the container level.

David Maze
  • 130,717
  • 29
  • 175
  • 215
piratepete
  • 71
  • 1
  • 2
  • have you tried SSH as rootless? – peter n Jul 17 '20 at 21:21
  • 1
    Running `docker run -it --user rootless docker:dind-rootless /bin/sh` and then running `dockerd` yields the same results. `dockerd needs to be started with root. To see how to run dockerd in rootless mode with unprivileged user, see the documentation` `whoami` returns `rootless` which is the default user when you pull the `docker:dind-rootless` image – piratepete Jul 17 '20 at 21:28
  • 1
    This doesn't satisfy your requirements, since it uses `--privileged`, but the PR which created the dind-rootless image also has an example of how to work with it: https://github.com/docker-library/docker/pull/174#issuecomment-517036465 – Nick ODell Jul 17 '20 at 22:44
  • @NickODell .. that tripped my expectation as I thought the rootless option would remove that need. I guess it was still meant to run as privileged but not with root as user. This somewhat messes up your Fargate plan piratepete – peter n Jul 17 '20 at 23:01
  • 1
    Looks like a fundamental limitation - you are right guys, dind-rootless still requires `--privileged` flag, because of that dind-rootless isn't going to work with Fargate. Maybe AWS could provide some advise? – piratepete Jul 18 '20 at 18:10
  • Ran into same issue, @piratepete did you get anything from AWS on this? – karthikeayan Aug 26 '20 at 18:17

1 Answers1

2

It's been 2 years. There's an image for it now. https://docs.docker.com/engine/security/rootless/#rootless-docker-in-docker

eco
  • 1,254
  • 1
  • 12
  • 22