Skip to content

Commit 8e4e838

Browse files
committed
engine/security/rootless: remove outdated/duplicated info
Setup: - `dockerd-rootless-setuptool.sh` has been improved to show help when the prerequisites are not satisfied. Users no longer need to read the **lengthy** "prerequisites" documentation unless they encounter issues. - The document had duplicated descriptions about dbus, uidmap, and machinectl stuffs in several places. Graph drivers: - Rootless OverlayFS has been merged into the upstream since kernel 5.11: torvalds/linux@459c7c5 . Ubuntu no longer patches the kernel. - FUSE-OverlayFS is typically no longer needed on the current supported distros, except EL 8. SELinux: - Remove a workaround for an issue that was already fixed in Docker Engine v20.10.8. CLI: - `docker context use rootless` no longer needs to be executed manually, since Docker v23. (moby/moby PR 43061) Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
1 parent bc4ed83 commit 8e4e838

File tree

3 files changed

+41
-46
lines changed

3 files changed

+41
-46
lines changed

content/manuals/engine/security/rootless/_index.md

Lines changed: 34 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,9 @@ $ grep ^$(whoami): /etc/subgid
4545
testuser:231072:65536
4646
```
4747

48+
The `dockerd-rootless-setuptool.sh install` script (see following) automatically shows help
49+
when the prerequiresites are not satisfied.
50+
4851
## Install
4952

5053
> [!NOTE]
@@ -73,9 +76,15 @@ $ dockerd-rootless-setuptool.sh install
7376
[INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service`
7477
[INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger testuser`
7578
76-
[INFO] Make sure the following environment variables are set (or add them to ~/.bashrc):
79+
[INFO] Creating CLI context "rootless"
80+
Successfully created context "rootless"
81+
[INFO] Using CLI context "rootless"
82+
Current context is now "rootless"
7783
84+
[INFO] Make sure the following environment variable(s) are set (or add them to ~/.bashrc):
7885
export PATH=/usr/bin:$PATH
86+
87+
[INFO] Some applications may require the following environment variable too:
7988
export DOCKER_HOST=unix:///run/user/1000/docker.sock
8089
```
8190
@@ -101,9 +110,15 @@ $ curl -fsSL https://get.docker.com/rootless | sh
101110
[INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service`
102111
[INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger testuser`
103112

104-
[INFO] Make sure the following environment variables are set (or add them to ~/.bashrc):
113+
[INFO] Creating CLI context "rootless"
114+
Successfully created context "rootless"
115+
[INFO] Using CLI context "rootless"
116+
Current context is now "rootless"
105117

118+
[INFO] Make sure the following environment variable(s) are set (or add them to ~/.bashrc):
106119
export PATH=/home/testuser/bin:$PATH
120+
121+
[INFO] Some applications may require the following environment variable too:
107122
export DOCKER_HOST=unix:///run/user/1000/docker.sock
108123
```
109124

@@ -112,4 +127,21 @@ The binaries will be installed at `~/bin`.
112127
{{< /tab >}}
113128
{{< /tabs >}}
114129

130+
Run `docker info` to confirm that the `docker` client is connecting to the Rootless daemon:
131+
```console
132+
$ docker info
133+
Client: Docker Engine - Community
134+
Version: 28.3.3
135+
Context: rootless
136+
...
137+
Server:
138+
...
139+
Security Options:
140+
seccomp
141+
Profile: builtin
142+
rootless
143+
cgroupns
144+
...
145+
```
146+
115147
See [Troubleshooting](./troubleshoot.md) if you faced an error.

content/manuals/engine/security/rootless/tips.md

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ title: Tips
55
weight: 20
66
---
77

8-
## Usage
8+
## Advanced Usage
99

1010
### Daemon
1111

@@ -56,7 +56,10 @@ Remarks about directory paths:
5656

5757
### Client
5858

59-
You need to specify either the socket path or the CLI context explicitly.
59+
Since Docker Engine v23.0, `dockerd-rootless-setuptool.sh install` automatically configures
60+
the `docker` CLI to use the `rootless` context.
61+
62+
Prior to Docker Engine v23.0, a user had to specify either the socket path or the CLI context explicitly.
6063

6164
To specify the socket path using `$DOCKER_HOST`:
6265

content/manuals/engine/security/rootless/troubleshoot.md

Lines changed: 2 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -7,19 +7,8 @@ weight: 30
77

88
### Distribution-specific hint
99

10-
> [!TIP]
11-
>
12-
> We recommend that you use the Ubuntu kernel.
13-
1410
{{< tabs >}}
1511
{{< tab name="Ubuntu" >}}
16-
- Install `dbus-user-session` package if not installed. Run `sudo apt-get install -y dbus-user-session` and relogin.
17-
- Install `uidmap` package if not installed. Run `sudo apt-get install -y uidmap`.
18-
- If running in a terminal where the user was not directly logged into, you will need to install `systemd-container` with `sudo apt-get install -y systemd-container`, then switch to TheUser with the command `sudo machinectl shell TheUser@`.
19-
20-
- `overlay2` storage driver is enabled by default
21-
([Ubuntu-specific kernel patch](https://kernel.ubuntu.com/git/ubuntu/ubuntu-bionic.git/commit/fs/overlayfs?id=3b7da90f28fe1ed4b79ef2d994c81efbc58f1144)).
22-
2312
- Ubuntu 24.04 and later enables restricted unprivileged user namespaces by
2413
default, which prevents unprivileged processes in creating user namespaces
2514
unless an AppArmor profile is configured to allow programs to use
@@ -56,30 +45,11 @@ weight: 30
5645
```
5746

5847
{{< /tab >}}
59-
{{< tab name="Debian GNU/Linux" >}}
60-
- Install `dbus-user-session` package if not installed. Run `sudo apt-get install -y dbus-user-session` and relogin.
61-
62-
- For Debian 11, installing `fuse-overlayfs` is recommended. Run `sudo apt-get install -y fuse-overlayfs`.
63-
This step is not required on Debian 12.
64-
65-
- Rootless docker requires version of `slirp4netns` greater than `v0.4.0` (when `vpnkit` is not installed).
66-
Check you have this with
67-
68-
```console
69-
$ slirp4netns --version
70-
```
71-
If you do not have this download and install with `sudo apt-get install -y slirp4netns` or download the latest [release](https://github.com/rootless-containers/slirp4netns/releases).
72-
{{< /tab >}}
7348
{{< tab name="Arch Linux" >}}
74-
- Installing `fuse-overlayfs` is recommended. Run `sudo pacman -S fuse-overlayfs`.
75-
7649
- Add `kernel.unprivileged_userns_clone=1` to `/etc/sysctl.conf` (or
7750
`/etc/sysctl.d`) and run `sudo sysctl --system`
7851
{{< /tab >}}
7952
{{< tab name="openSUSE and SLES" >}}
80-
- For openSUSE 15 and SLES 15, Installing `fuse-overlayfs` is recommended. Run `sudo zypper install -y fuse-overlayfs`.
81-
This step is not required on openSUSE Tumbleweed.
82-
8353
- `sudo modprobe ip_tables iptable_mangle iptable_nat iptable_filter` is required.
8454
This might be required on other distributions as well depending on the configuration.
8555

@@ -96,7 +66,7 @@ weight: 30
9666
## Known limitations
9767

9868
- Only the following storage drivers are supported:
99-
- `overlay2` (only if running with kernel 5.11 or later, or Ubuntu-flavored kernel)
69+
- `overlay2` (only if running with kernel 5.11 or later)
10070
- `fuse-overlayfs` (only if running with kernel 4.18 or later, and `fuse-overlayfs` is installed)
10171
- `btrfs` (only if running with kernel 4.18 or later, or `~/.local/share/docker` is mounted with `user_subvol_rm_allowed` mount option)
10272
- `vfs`
@@ -197,17 +167,7 @@ Instead of `sudo -iu <USERNAME>`, you need to log in using `pam_systemd`. For ex
197167
**The daemon does not start up automatically**
198168

199169
You need `sudo loginctl enable-linger $(whoami)` to enable the daemon to start
200-
up automatically. See [Usage](./tips.md#usage).
201-
202-
**iptables failed: iptables -t nat -N DOCKER: Fatal: can't open lock file /run/xtables.lock: Permission denied**
203-
204-
This error may happen with an older version of Docker when SELinux is enabled on the host.
205-
206-
The issue has been fixed in Docker 20.10.8.
207-
A known workaround for older version of Docker is to run the following commands to disable SELinux for `iptables`:
208-
```console
209-
$ sudo dnf install -y policycoreutils-python-utils && sudo semanage permissive -a iptables_t
210-
```
170+
up automatically. See [Advanced Usage](./tips.md/#advanced-usage).
211171

212172
### `docker pull` errors
213173

0 commit comments

Comments
 (0)