Docker swarm with rootless docker?

Is it possible to use docker swarm with rootless docker?
I tried to use rootless-docker with swarm and got an error. followed below stepes.

  1. docker swarm init --advertise-addr 34.93.X.X

  2. docker swarm join-token manager gives
    ā€“> docker swarm join --token SWMTKN-1-21vhv6gawb9mpur1v379sq52ia2jq4n0boqes0wos10o7m833l-5935hxvsht0x21o0qjpeqykae 34.93.X.X:2377

  3. On Node 2
    docker swarm join --token SWMTKN-1-2xtpxpc18p8qf3e4kb3dvsjr4a4ae786entmwuekh6w5bbfmpz-e5rhoya81d1pajet80wx34mcv 34.93.X.X:2377 --advertise-addr 34.93.X.X

resulting an error

Error response from daemon: rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = "transport: Error while dialing dial tcp 34.93.X.X:2377: connect: connection refused"

NOTE: working fine with root docker

Running dockerd-rootless.sh with DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS="-p 0.0.0.0:2377:2377/tcp" may work, but Rootless mode does not support Swarm overlay network as of 19.03: https://docs.docker.com/engine/security/rootless/#known-limitations

Though not exactly the same as rootless Docker, you can run docker swarm inside rootless containers using the sysbox runtime. Each container is rootless and acts as a swarm node (similar to a VM).

For example:

(1) Launch a swarm manager node with Docker + Sysbox:

$ docker run --rm -it --runtime sysbox-runc --name manager nestybox/alpine-docker:latest
/ # dockerd > /var/log/dockerd.log 2>&1 &
/ # docker swarm init
Swarm initialized: current node (teemqygp2kfzw75cdhlcinppx) is now a manager.

To add a worker to this swarm, run the following command:

    docker swarm join --token SWMTKN-1-3urriqqyy8ysjkgmup81nxpvqgb3az063hryolhnl4p7nazl1n-cgbv86xvmf918iowrzq0fjd8w 172.20.0.2:2377

To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.

(2) Launch a worker node in another container:

$ docker run --rm -it --runtime sysbox-runc --name worker0 nestybox/alpine-docker:latest
/ # dockerd > /var/log/dockerd.log 2>&1 &
/ # docker swarm join --token SWMTKN-1-3urriqqyy8ysjkgmup81nxpvqgb3az063hryolhnl4p7nazl1n-cgbv86xvmf918iowrzq0fjd8w 172.20.0.2:2377
This node joined a swarm as a worker.

(3) Back in the manager node:

/ # docker node ls
ID                            HOSTNAME            STATUS              AVAILABILITY        MANAGER STATUS      ENGINE VERSION
teemqygp2kfzw75cdhlcinppx *   4e30f1df39c5        Ready               Active              Leader              19.03.12
bs6pyyhs0rmglclzhzqs4cvhh     6ac0c3c173ef        Ready               Active                                  19.03.12
/ # docker service create --replicas 5 --name helloworld alpine ping docker.com
00u3g30hjyqe213xp7drswf3i
overall progress: 5 out of 5 tasks 
1/5: running   [==================================================>] 
2/5: running   [==================================================>] 
3/5: running   [==================================================>] 
4/5: running   [==================================================>] 
5/5: running   [==================================================>] 
verify: Service converged 
/ # docker service ls
ID                  NAME                MODE                REPLICAS            IMAGE               PORTS
00u3g30hjyqe        helloworld          replicated          5/5                 alpine:latest       
/ #

This way you can run swarm inside well isolated containers and avoid the need for unsecure privileged containers or heavy VMs.

This blog post explains the differences between rootless Docker and Sysbox.

Hope this helps!

1 Like