Sharing images, containers, and volumes between two users in rootless mode

Hello Docker community! :slight_smile:

I’ve recently been exploring the rootless mode. It’s a great security improvement that I’d like to bring to my self-managed servers.

Currently, the docker user is added to the sudo group, and any user who needs access to docker CLI needs to be a part of the docker group. This is per the Post-installation steps for Linux documentation.

Now, upon a move to rootless Docker as detailed in the official docs, each user will have its own docker configuration and its own data root path under their own home directory.

Unfortunately, one of these servers is shared by multiple people and the images/containers/volumes need to be available to all the users. My idea at the moment is that I should go ahead and update the daemon config for each user at ~/.config/docker/daemon.json and point the data directory to a shared path: /srv/docker/orgName/

…where orgName would have group read-write-execute permissions so all users on that group can access this shared docker data dir.

One, am I heading in this correct direction? Would rootless Docker pick this up for all users whose daemon points to this data dir?

Two, are there any security implications with this?

Looks like docker sets the permission of its data-root to 711, and then any other user also trying to start their docker service cannot – as they no longer have permissions to chmod the shared directory.

Not sure how to proceed further right now. Any help would be appreciated. :frowning:

1 Like