Docker Community Forums

Share and learn in the Docker community.

Adding capabilities to containers running as non-root users

I am trying to run a container as a non-root user with capabilities.
In my Dockerfile I add (centos7 based):

setcap cap_chown+ep /usr/bin/chown

Then I execute it as such:

$ docker container run --rm -it --cap-add chown -u nobody my-image chown nobody /
chown: /: Operation not permitted

Does docker support adding capabilities to non-root users?

I am replying my own thread: this worked:

# cat Dockerfile
FROM centos:7
RUN setcap cap_chown+ie /usr/bin/chown
RUN useradd blah
RUN useradd tester
 
# docker build -t chown-image:1.0.0 .
 
# docker container run --rm -it -u blah chown-image:1.0.0 bash
[blah@55cdc998b62e /]$ whoami
blah
[blah@55cdc998b62e /]$ touch file.txt
[blah@55cdc998b62e /]$ ls -al file.txt
-rw-r--r-- 1 blah blah 0 Oct  2 19:35 file.txt
[blah@55cdc998b62e /]$ chown blah:tester file.txt
[blah@55cdc998b62e /]$ ls -al file.txt
-rw-r--r-- 1 blah tester 0 Oct  2 19:35 file.txt
1 Like

The installation script is available at https://get.docker.com/rootless.

$ curl -fsSL https://get.docker.com/rootless | sh
Make sure to run the script as a non-root user. To install Rootless Docker as the root user, see the Manual installation steps.

The script shows environment variables that are required:

$ curl -fsSL https://get.docker.com/rootless | sh

Docker binaries are installed in /home/testuser/bin

WARN: dockerd is not in your current PATH or pointing to /home/testuser/bin/dockerd

Make sure the following environment variables are set (or add them to ~/.bashrc):

export PATH=/home/testuser/bin:$PATH
export PATH=$PATH:/sbin
export DOCKER_HOST=unix:///run/user/1001/docker.sock

To control docker service run:

systemctl --user (start|stop|restart) docker

Manual installation
To install the binaries manually without using the installer, extract docker-rootless-extras-.tgz along with docker-.tgz from https://download.docker.com/linux/static/stable/x86_64/

If you already have the Docker daemon running as the root, you only need to extract docker-rootless-extras-.tgz. The archive can be extracted under an arbitrary directory listed in the $PATH. For example, /usr/local/bin, or $HOME/bin.

Nightly channel
To install a nightly version of the Rootless Docker, run the installation script using CHANNEL=“nightly”:

$ curl -fsSL https://get.docker.com/rootless | CHANNEL=“nightly” sh
The raw binary archives are available at:

https://master.dockerproject.org/linux/x86_64/docker-rootless-extras.tgz
https://master.dockerproject.org/linux/x86_64/docker.tgz
Usage
Daemon
Use systemctl --user to manage the lifecycle of the daemon:

$ systemctl --user start docker
To launch the daemon on system startup, enable the systemd service and lingering:

systemctl --user enable docker sudo loginctl enable-linger $(whoami)
To run the daemon directly without systemd, you need to run dockerd-rootless.sh instead of dockerd:

$ dockerd-rootless.sh --experimental --storage-driver vfs
As Rootless mode is experimental, you need to run dockerd-rootless.sh with --experimental.

You also need --storage-driver vfs unless you are using Ubuntu or Debian 10 kernel. You don’t need to care about these flags if you manage the daemon using systemd, as these flags are automatically added to the systemd unit file.

Remarks about directory paths:

The socket path is set to $XDG_RUNTIME_DIR/docker.sock by default. $XDG_RUNTIME_DIR is typically set to /run/user/$UID.
The data dir is set to ~/.local/share/docker by default.
The exec dir is set to $XDG_RUNTIME_DIR/docker by default.
The daemon config dir is set to ~/.config/docker (not ~/.docker, which is used by the client) by default.
Other remarks:

The dockerd-rootless.sh script executes dockerd in its own user, mount, and network namespaces. You can enter the namespaces by running nsenter -U --preserve-credentials -n -m -t $(cat $XDG_RUNTIME_DIR/docker.pid).
docker info shows rootless in SecurityOptions
docker info shows none as Cgroup Driver