Rootless Docker Still Running As Root?

Hey Guys,

I’m new to Docker so please bare with me.

My goal is to run Docker in Rootless mode, setup a development environment within a container, and use the Visual Studio Code Dev Containers extenstion to communicate with the container. This way all of my development tools, libraries, etc. exist within the container and don’t pollute my laptop’s environment.

I followed the Rootless Docker instructions and Docker was successfully installed. My concern is, Docker seems to still be running as root. Maybe I am wrong though? Really I’m just looking for confirmation that Docker is not running as root.

I’ve included some info below so please let me know if more is needed.

ps aux | grep docker:

root        1635  0.0  0.4 1536600 75208 ?       Ssl  05:51   0:01 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
me        2256  0.0  0.0 1310240 9984 ?        Ssl  05:52   0:00 rootlesskit --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
me        2306  0.0  0.0 1310496 9472 ?        Sl   05:52   0:00 /proc/self/exe --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
me        2362  0.0  0.4 1536600 75808 ?       Sl   05:52   0:01 dockerd
me        2390  0.2  0.2 1356728 43104 ?       Ssl  05:52   0:14 containerd --config /run/user/1000/docker/containerd/containerd.toml
me        8025  0.0  0.0   9208  2432 pts/0    S+   07:40   0:00 grep --color=auto docker

Unable to start/stop docker.service as non-root:

systemctl --user stop docker.service

…does not stop the Docker service, as confirmed by a follow-up call to systemctl status docker.service:

Active: active (running) since Thu 2023-12-14 05:51:50 EST; 1h 53min ago

sudo is required to enable/disable docker.service:

sudo systemctl enable --now docker.service docker.socket
sudo systemctl disable --now docker.service docker.socket

docker.service is running on bootup:
I was under the impression docker.service is unable to run at bootup when operating in rootless mode.

systemctl status docker.service

● docker.service - Docker Application Container Engine
     Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2023-12-14 05:51:50 EST; 5min ago
TriggeredBy: ● docker.socket
       Docs: https://docs.docker.com
   Main PID: 1635 (dockerd)
      Tasks: 11
     Memory: 96.8M
        CPU: 552ms
     CGroup: /system.slice/docker.service
             └─1635 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

Dec 14 05:51:50 erie dockerd[1635]: time="2023-12-14T05:51:50.103897903-05:00" level=info msg="Starting up"
Dec 14 05:51:50 erie dockerd[1635]: time="2023-12-14T05:51:50.112349079-05:00" level=info msg="detected 127.0.0.53 nameserver, assuming systemd-resolved, so using resolv.conf: /run/systemd/resolve/resolv.conf"
Dec 14 05:51:50 erie dockerd[1635]: time="2023-12-14T05:51:50.277719220-05:00" level=info msg="[graphdriver] using prior storage driver: overlay2"
Dec 14 05:51:50 erie dockerd[1635]: time="2023-12-14T05:51:50.282639622-05:00" level=info msg="Loading containers: start."
Dec 14 05:51:50 erie dockerd[1635]: time="2023-12-14T05:51:50.682291652-05:00" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a pre>
Dec 14 05:51:50 erie dockerd[1635]: time="2023-12-14T05:51:50.738564110-05:00" level=info msg="Loading containers: done."
Dec 14 05:51:50 erie dockerd[1635]: time="2023-12-14T05:51:50.822976192-05:00" level=info msg="Docker daemon" commit=311b9ff graphdriver=overlay2 version=24.0.7
Dec 14 05:51:50 erie dockerd[1635]: time="2023-12-14T05:51:50.823215299-05:00" level=info msg="Daemon has completed initialization"
Dec 14 05:51:50 erie dockerd[1635]: time="2023-12-14T05:51:50.852245415-05:00" level=info msg="API listen on /run/docker.sock"
Dec 14 05:51:50 erie systemd[1]: Started Docker Application Container Engine.

docker context inspect:

[
    {
        "Name": "rootless",
        "Metadata": {
            "Description": "Rootless mode"
        },
        "Endpoints": {
            "docker": {
                "Host": "unix:///run/user/1000/docker.sock",
                "SkipTLSVerify": false
            }
        },
        "TLSMaterial": {},
        "Storage": {
            "MetadataPath": "/home/me/.docker/contexts/meta/12b961af5feb3e9d39f93b2cefb9a1a944f18d02cca0cac2f04f5a982240605f",
            "TLSPath": "/home/me/.docker/contexts/tls/12b961af5feb3e9d39f93b2cefb9a1a944f18d02cca0cac2f04f5a982240605f"
        }
    }
]

docker info:

Client: Docker Engine - Community
 Version:    24.0.7
 Context:    rootless
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.2
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.21.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 0
 Server Version: 24.0.7
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: false
  userxattr: true
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 3dd1e886e55dd695541fdcd67420c2888645a495
 runc version: v1.1.10-0-g18a0cb0
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
  rootless
  cgroupns
 Kernel Version: 6.2.0-39-generic
 Operating System: Ubuntu 22.04.3 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 15.48GiB
 Name: erie
 ID: 9666cdfb-9afd-4723-8a5f-c67c58acdda2
 Docker Root Dir: /home/me/.local/share/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No cpu cfs quota support
WARNING: No cpu cfs period support
WARNING: No cpu shares support
WARNING: No cpuset support
WARNING: No io.weight support
WARNING: No io.weight (per device) support
WARNING: No io.max (rbps) support
WARNING: No io.max (wbps) support
WARNING: No io.max (riops) support
WARNING: No io.max (wiops) support

How can I be certain that Docker is running in Rootless mode ?

Thanks for your help.

By checking who actually owns the process?

You have rootfull and rootless docker running at the same time.

This is the rootfull process that you control with the systemd unit you used: docker.service. Stop it with sudo systemctl stop docker.service docker.socket and disable it so it doesn’t get started on next boot sudo systemctl disable docker.service docker.socket.

Your context was set to rootless docker, which does not mean that an additional installed rootfull docker can’t be running. It just means your client is communicating with the rootless backend. If you didn’t stop the rootfull docker yet, you can switch the context to it: docker context use default. Check docker context ls to get a list of available contexts.

Note: when you start a container with rootless docker, it will use the user id 0 inside the container, though it will be mapped to a different user id on the host. From the host perspective such a container is not running as root.

1 Like