docker:dind-rootless does not start on Rootless Docker host.
Is docker:dind-rootless even supposed to be run on a Rootless Docker host in the first place?
rootless@debian12:~$ ls -l /var/run/user/1001/docker.sock
srw-rw---T 1 rootless 166532 0 Oct 23 20:33 /var/run/user/1001/docker.sock
rootless@debian12:~/dind-rootless$ cat compose.yml
version: "3"
services:
dind-rootless:
image: docker:dind-rootless
privileged: true
rootless@debian12:~/dind-rootless$ docker compose up -d
[+] Running 2/2
✔ Network dind-rootless_default Created 0.1s
✔ Container dind-rootless-dind-rootless-1 Started 0.1s
rootless@debian12:~/dind-rootless$ docker compose logs dind-rootless
dind-rootless-dind-rootless-1 | Certificate request self-signature ok
dind-rootless-dind-rootless-1 | subject=CN = docker:dind server
dind-rootless-dind-rootless-1 | /certs/server/cert.pem: OK
dind-rootless-dind-rootless-1 | Certificate request self-signature ok
dind-rootless-dind-rootless-1 | subject=CN = docker:dind client
dind-rootless-dind-rootless-1 | /certs/client/cert.pem: OK
dind-rootless-dind-rootless-1 | Device "ip_tables" does not exist.
dind-rootless-dind-rootless-1 | ip_tables 36864 0
dind-rootless-dind-rootless-1 | x_tables 61440 7 xt_nat,xt_tcpudp,xt_conntrack,xt_MASQUERADE,xt_addrtype,nft_compat,ip_tables
dind-rootless-dind-rootless-1 | modprobe: can't change directory to '/lib/modules': No such file or directory
dind-rootless-dind-rootless-1 | [rootlesskit:parent] error: failed to setup UID/GID map: newuidmap 55 [0 1000 1 1 100000 65536] failed: newuidmap: write to uid_map failed: Operation not permitted
dind-rootless-dind-rootless-1 | : exit status 1
CAP_SETUID and CAP_SETGID appear to be missing.
rootless@debian12:~$ git clone https://github.com/docker-library/docker.git ./dind-source
rootless@debian12:~$ cd dind-source/24/dind-rootless/
rootless@debian12:~/dind-source/24/dind-rootless$ nano Dockerfile
rootless@debian12:~/dind-source/24/dind-rootless$ git diff Dockerfile
diff --git a/24/dind-rootless/Dockerfile b/24/dind-rootless/Dockerfile
index 766214d..edbb62d 100644
--- a/24/dind-rootless/Dockerfile
+++ b/24/dind-rootless/Dockerfile
@@ -8,7 +8,7 @@ FROM docker:24-dind
# busybox "ip" is insufficient:
# [rootlesskit:child ] error: executing [[ip tuntap add name tap0 mode tap] [ip link set tap0 address 02:50:00:00:00:01]]: exit status 1
-RUN apk add --no-cache iproute2 fuse-overlayfs
+RUN apk add --no-cache iproute2 fuse-overlayfs strace
# "/run/user/UID" will be used by default as the value of XDG_RUNTIME_DIR
RUN mkdir /run/user && chmod 1777 /run/user
rootless@debian12:~/dind-source/24/dind-rootless$ touch compose.yml
rootless@debian12:~/dind-source/24/dind-rootless$ nano compose.yml
rootless@debian12:~/dind-source/24/dind-rootless$ cat compose.yml
version: "3"
services:
my-rootless:
build: .
image: my-rootless
privileged: true
cap_add:
- SETUID
- SETGID
entrypoint: ["tail", "-f", "/dev/null"]
rootless@debian12:~/dind-source/24/dind-rootless$ docker compose build
rootless@debian12:~/dind-source/24/dind-rootless$ docker compose up -d
[+] Running 2/2
✔ Network dind-rootless_default Created 0.1s
✔ Container dind-rootless-my-rootless-1 Started
rootless@debian12:~/dind-source/24/dind-rootless$ docker compose exec my-rootless sh
/ $
/ $ unshare -U sleep 100 &
/ $ strace newuidmap $! 0 $(id -u) 1 1 100000 65536
execve("/usr/bin/newuidmap", ["newuidmap", "12", "0", "1000", "1", "1", "100000", "65536"], 0x7ffc2ec885a8 /* 11 vars */) = 0
arch_prctl(ARCH_SET_FS, 0x7fe8d0946b48) = 0
set_tid_address(0x7fe8d0946fb8) = 17
brk(NULL) = 0x556e626a3000
brk(0x556e626a5000) = 0x556e626a5000
mmap(0x556e626a3000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x556e626a3000
mprotect(0x7fe8d0943000, 4096, PROT_READ) = 0
mprotect(0x556e61497000, 4096, PROT_READ) = 0
poll([{fd=0, events=0}, {fd=1, events=0}, {fd=2, events=0}], 3, 0) = 0 (Timeout)
open("/proc/12/", O_RDONLY|O_LARGEFILE|O_DIRECTORY) = 3
getuid() = 1000
open("/etc/passwd", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 4
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe8d08ac000
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
read(4, "root:x:0:0:root:/root:/bin/ash\nb"..., 1024) = 1024
read(4, "gin\nsmmsp:x:209:209:smmsp:/var/s"..., 1024) = 266
close(4) = 0
munmap(0x7fe8d08ac000, 4096) = 0
fstat(3, {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
getuid() = 1000
open("/etc/login.defs", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
getgid() = 1000
getgid() = 1000
open("/etc/subuid", O_RDONLY|O_NOCTTY|O_NONBLOCK|O_LARGEFILE|O_NOFOLLOW) = 4
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe8d08ac000
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
mmap(NULL, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe8d08a8000
read(4, "dockremap:165536:65536\nrootless:"..., 1024) = 45
read(4, "", 1024) = 0
munmap(0x7fe8d08a8000, 16384) = 0
open("/etc/nsswitch.conf", O_RDONLY|O_LARGEFILE) = 5
read(5, "# musl itself does not support N"..., 1024) = 205
read(5, "", 1024) = 0
close(5) = 0
open("/etc/passwd", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 5
fcntl(5, F_SETFD, FD_CLOEXEC) = 0
fcntl(5, F_SETFD, FD_CLOEXEC) = 0
read(5, "root:x:0:0:root:/root:/bin/ash\nb"..., 1024) = 1024
read(5, "gin\nsmmsp:x:209:209:smmsp:/var/s"..., 1024) = 266
close(5) = 0
geteuid() = 1000
capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<<CAP_SETUID, permitted=1<<CAP_SETUID, inheritable=0}) = -1 EPERM (Operation not permitted)
writev(2, [{iov_base="newuidmap: Could not set caps\n", iov_len=30}, {iov_base=NULL, iov_len=0}], 2newuidmap: Could not set caps
) = 30
exit_group(1) = ?
+++ exited with 1 +++