Running Docker containers as a non-root user, also known as rootless mode, is a significant step towards enhancing the security of your containerized applications. This approach mitigates potential vulnerabilities by ensuring that neither the Docker daemon nor the containers have root privileges. This article will guide you through the process of setting up and securing rootless Docker containers on a Docker host.

1. Understanding Rootless Docker

Rootless Docker allows the Docker daemon and containers to run without root privileges. This is achieved by executing the Docker daemon and containers inside a user namespace, which isolates the user IDs and group IDs from the host system. This setup significantly reduces the risk of privilege escalation attacks.

2. Prerequisites

Before setting up rootless Docker, ensure the following prerequisites are met:

• Install newuidmap and newgidmap: These commands are necessary for allowing multiple UIDs/GIDs in the user namespace. They are typically provided by the uidmap package on most Linux distributions.
• Configure /etc/subuid and /etc/subgid: These files should contain at least 65,536 subordinate UIDs/GIDs for the user.

3. Setting Up Rootless Docker

Follow these steps to set up rootless Docker:

1. Install Docker: Ensure Docker is installed on your system. You can follow the official Docker installation guide for your specific Linux distribution.
2. Install Rootless Docker Extras: Run the following command to install the necessary rootless Docker components:
   sudo apt-get install -y docker-ce-rootless-extras
3. Configure environment variables: Add the following environment variables to your shell configuration file (e.g., .bashrc or .zshrc):
   export PATH=/usr/bin:$PATH
export DOCKER_HOST=unix:///run/user/$(id -u)/docker.sock
4. Start rootless Docker: Initialize and start the rootless Docker daemon:
   dockerd-rootless-setuptool.sh install
systemctl --user start docker
systemctl --user enable docker

4. Security Best Practices

To ensure your rootless Docker setup is secure, follow these best practices:

• Use minimal base images: Choose minimal and secure base images to reduce the attack surface. Avoid using images with unnecessary packages and services.
• Run containers with non-root users: Even in rootless mode, configure your containers to run as non-root users within the container.
• Enable Docker Content Trust: Use Docker Content Trust to verify the authenticity of Docker images. This ensures that you are running trusted images.
• Network segmentation: Isolate container networks to limit the potential impact of a compromised container. Use Docker’s network features to create isolated networks for different applications.
• Regular updates: Keep your Docker daemon, containers, and host operating system up to date with the latest security patches.

Conclusion

Running Docker containers in rootless mode is a powerful way to enhance the security of your containerized applications. By following the steps and best practices outlined in this article, you can set up a secure Docker environment that minimizes the risk of privilege escalation and other security vulnerabilities. Always stay informed about the latest security updates and practices to maintain a robust and secure Docker infrastructure.

If you have any questions or need further assistance, feel free to ask!