Portainer and rootless Docker
by Neil Cresswell, on Dec 18, 2020 12:49:44 PM
With the release of Docker 20.10, rootless Docker is now a supported feature. But what is rootless docker?
Simply, in all prior versions of Docker, the docker daemon ran as the root user, and therefore had complete control over the host operating system. By virtue, any container running under docker had the potential to "break free" and also get root access on the host. Rootless Docker changed that, so that Docker now runs as a non-root user, giving an additional security blanket to protect against host takeover.
As part of moving Docker into user space, there are a number of complications introduced, and these mean deploying Portainer with rootless Docker is somewhat less simple.
One thing to note; at present rootless docker does not work with overlay networks, which means that swarm is non functional. So for now, you can only use standalone docker hosts.
Let me show you how to use rootless Docker with Portainer...
First up lets get your docker host prepared. We recommend using Ubuntu 20.04 as your host, but others are supported.
As the root user, from the host console, you first need to ensure that the package "uidmap" is installed, so run the command "apt-get update && apt-get install uidmap" and check it completes.
Once that is done, create your non-root user, in our case, "docker" using the command "adduser docker"
and now add that user to the sudoers group using the command: usermod -aG sudo docker
now, using SSH, login as that account..
Run the rootless docker install script by using the command "curl -fsSL https://get.docker.com/rootless | sh"
note the instructions about adding environment variables to ~/.bashrc, lets do that now, but we will actually add them into ~/.bash_aliases instead. Once saved, logout and login to have them take effect.
Next, in order to allow you to publish containers using ports <1024, you need to run the following command: "sudo setcap cap_net_bind_service=ep $HOME/bin/rootlesskit"
Now you can set the Docker service to autostart and run using the commands:
systemctl --user start docker
systemctl --user enable docker
sudo loginctl enable-linger $(whoami)
you should now be able to run the command "docker info" to get info about your docker deployment:
You are now ready to deploy Portainer...
To deploy the Portainer SERVER, use the following command:
docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=always -v /$XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock -v ~/.local/share/docker/volumes:/var/lib/docker/volumes -v portainer_data:/data portainer/portainer-ce
Connect to your instance on port 9000 and then connect to the local Docker engine.
Portainer is now running on the rootless Docker Instance.
As a variant, if you already have a Portainer instance running elsewhere, and you just want to deploy the Portainer AGENT on the rootless host, use the following command:
docker run -d -p 9001:9001 --name=portainer_agent --restart=always-v /$XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock -v ~/.local/share/docker/volumes:/var/lib/docker/volumes portainer/agent
and then you can connect to the agent via your central instance.