Docker Rootless Permission Errort

Docker Engine General
1

General system information:
Air-Gapped network
RHEL 8.9 patched up until May 2024
System is AD Joined via winbind
/home is on a NFS volume
Docker-ce version 3.26.0.0.1 installed via local docker repo setup with all packages from https://download.docker.com/linux/centos/8/x86_64/stable/Packages/

Modified the following:

/etc/sysctl.d/99-sysctl.conf
user.max_user_namespace=0 to 1 or 1024 or 28633

Modified /etc/subgid and /etc/subuid with the following:

user01:165536:65536
user02:231072:65536

Setting up Docker Rootless for users, but fails to open.

As normal user ran the following;

$ cd /usr/bin
$ dockerd-rootless-setup-sh install

Installation runs fine without failure

$ systemctl --user start docker
$ systemctl --user status docker

Service running without issue, all good here.

$ docker info
$ docker ps

All good here as well, no issues

$ docker image load -i ub8-minimal-8.9.tar
932e25b7e78c: Loading layer [==================================================>]  93.75MB/93.75MB
open /root/.bash_logout: permission denied

This error occurs on multiple files.

Possibly a namespace issue, but i’ve followed the docker guides for installation and rootless setup.
Any help is appreciated.

2

Is there anyone in the community that can assist with this?
Docker starts/runs fine, but is producing the above mentioned error.
Pretty sure i’m close, would just need a little guidance on the docker output.
Unfortunately, Redhat does not support docker-ce on rhel 8.x, therefore support from them is not available.
Redhat only supports Podman.

3

You mean this one?

This is the official guide, but it says x86_64 (amd64) and aarch64 support on RHEL is experimental. I don’t think your issue would be because of the architecture, but could be.

And it happens when you load the image from a tar file? How did you create it?

That 3 at the beginning must be part of the package version, not Docker version. Docker CE 26.0.0 had some bugs. If newer versiona are available, I would try to install the latest which is 26.1.4

Please, share the output. Remove secrets like IP addresses or usernames if necessary before sharing.

Until that, here is my guess:

When you load an image, Docker has to extract the tar and move the files to the docker data root. Since you ran the command as a non-root user, if the files in the tar are owned by root, it is possible that Docker has no permision move the files, although that would not be an “open” operation. I never tried to load an image as a non root user, but I will test it soon.

EDIT: I tried, it worked for me.

We don’t always notice all messages. Feel free to send a reminder after some days. 21 days was many :slight_smile:

I also edited your question to make it more readable. That can also get you more answers. Follow this guide next time to format your post: How to format your forum posts

4

Yes, the Install Docker Engine on RHEL to and extent, but I’m focused on ROOTLESS functionality, using these instructions, Run the Docker daemon as a non-root user (Rootless mode) | Docker Docs

  • the goal is to allow our normal users (non-privileged) to be able to run docker as themselves.
  • I will try a newer version of the Docker packages.
    Thank you for the reply.
5

Hello,
Updated my repo with latest packages, then updated my client to 26.1.4
Output from running $ docker info is below…

$ docker info
Client: Docker Engine - Community
Version: 26.1.4
Context: rootless
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.14.1
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.27.1
Path: /usr/libexec/docker/cli-plugins/docker-compose

Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 26.1.4
Storage Driver: fuse-overlayfs
Logging Driver: json-file
Cgroup Driver: none
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: d2d58213f83a351ca8f528a95fbd145f5654e957
runc version: v1.1.12-0-g51d5e94
init version: de40ad0
Security Options:
seccomp
Profile: builtin
rootless
Kernel Version: 4.18.0-553.5.1.el8_10.x86_64
Operating System: Red Hat Enterprise Linux 8.10 (Ootpa)
OSType: linux
Architecture: x86_64
CPUs: 12
Total Memory: 30.85GiB
Name: rhel02
ID: e25497ad-a413-478a-8e8d-4da56965a81c
Docker Root Dir: /home/user01@our.domain.com/.local/share/docker
Debug Mode: false
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false

WARNING: Running in rootless-mode without cgroups. To enable cgroups in rootless-mode, you need to boot the system in cgroup v2 mode.
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

6

Again…

Please, format your post according to the following guide: How to format your forum posts
In short: please, use </> button to share codes, terminal outputs, error messages or anything that can contain special characters which would be interpreted by the MarkDown filter. Use the preview feature to make sure your text is formatted as you would expect it and check your post after you have sent it so you can still fix it.

Example code block:

```
echo "I am a code."
echo "An athletic one, and I wanna run."
```