Introduction
This is a write up summarizing the process I went through at work to configure Linux hosts with rootless docker. After figuring out the manual way to do things I further automated it with an ansible playbook, as there’s a lot of per-user stuff you have to do that quickly becomes untenable to do manually, even if you’re only doing it on one host, and really out of hand if you have multiple hosts.
This document will outline the key steps for configuring rootless docker for users and the associated ansible tasks required for it. I’m not going to show every aspect of setting up ansible like creating the inventory of hosts, just the components that are specific to rootless docker.
I previously documented the manual approach I took while figuring all this out in this post.
Why rootless docker?
Briefly, let me describe what motivated this approach. At work we have a number of teams that want to use docker, either for a development environment in devcontainers, building containers for deployment, or both. All of our laptops run Windows, so the immediate obvious solution would be to install docker desktop. Unfortunately, that installation required turning on some services that we had disabled for security reasons, so we were not able to proceed with that approach. The next option would be docker on a remote Linux host. The traditional way of installing docker means that anyone who has access to work with docker effectively has root access to the system they’re running it on. This obviously presents a security issue on a shared machine, and the cost and complexity of giving every user their own VM was not practical, particularly for users that required GPUs for some of their workloads. Given these constraints, I set out to configure rootless docker so that multiple users could securely share a remote Linux instance and work in docker without security concerns. This has the added benefit of allowing users to do things like stop all their running containers with docker container stop $(docker container ls -aq)
without stopping everyone else’s.
Install the docker engine
This part of the playbook is the same whether or not you’re going to do rootless, but I’ll include it for completeness. We’re basically following the docker install instructions in ansible format. This particular playbook assumes the host OS is Ubuntu, and will need slight modification for other distributions:
- name: Install docker pre-requisites
ansible.builtin.apt:
pkg:
- ca-certificates
- curl
- gnupg
- lsb-release
# Necessary for rootless installer
- uidmap
- name: Add docker gpg key
ansible.builtin.shell: |
install -m 0755 -d /etc/apt/keyrings && \
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \
chmod a+r /etc/apt/keyrings/docker.gpg args:
creates: "/etc/apt/keyrings/docker.gpg"
- name: add docker repository to apt
apt_repository:
repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
state: present
- name: Install docker
ansible.builtin.apt:
pkg:
- docker-ce
- docker-ce-cli
- containerd.io
- docker-compose-plugin
Figuring out how to correctly create the GPG key and the associated apt repository was a bit tricky. Originally I wanted to use apt_key but it’s been deprecated due to security concerns. For whatever reason using the alternate examples provided in the docs with get_url didn’t seem to work. I’m not totally clear on what the gpg --dearmor
is doing in the above playbook, but it’s definitely necessary. Fortunately it’s easy to make that script idempotent with the creates
argument for the task.
Perform rootless docker setup
This is where the meat of the install goes. This assumes you’ve got a list somewhere of all the users you want to configure for rootless docker and their UIDs. If your users are all members of AD groups then you can do something like what I document in this post to get that fact set in your playbook.
Create /etc/subuid and /etc/subgid
The next thing we do is configure which UID and GID ranges on the host machine should be uniquely mapped for each user into their docker daemon. We want to reserve a range of IDs for each user so that permissions for a user within a container do not provide privilege escalation outside the container. Just as an aside, in a rootless runtime, UID 0 or root inside the container maps to the user that is running docker and their UID outside the container, so be sure to run your containers as root if you have any volumes bind mounted and don’t want to have to deal with weird permission issues.
- name: apply subuid and subgid settings for mapping
ansible.builtin.template:
src: subid.j2
dest: /etc/{{ item }}
owner: root
group: root
mode: '0644'
with_items:
- "subuid"
- "subgid"
The task itself is quite straightforward, where the magic happens is in the template:
# {{ ansible_managed }}
{% for user in users_dict %}
{{ user.user }}:{{100000 + (loop.index0 * 65536)}}:65536
{% endfor %}
As mentioned, for each user we want a non-overlapping range of UIDs. In the docker docs they give each user a range of 65536 UIDs to use and start at 100000, which we reproduce here. The format of each entry is username:start UID range:size of range
. We ensure this is non overlapping by multiplying the index of the loop we’re on by the size of the UID range. /etc/subuid
and /etc/subgid
have the exact same format so in the playbook we just apply the same template to both files.
Stop the root level docker service
This will conflict with the user level docker service, so we have to ensure it’s stopped:
- name: Make sure the root level docker service is stopped and disabled
ansible.builtin.systemd:
name: "{{ item }}"
state: stopped
enabled: false
with_items:
- "docker.service"
- "docker.socket"
Create home directories for each user
This is potentially being run on a newly created machine with users from Active Directory. Because of this, the users may not have a home directory created for them before they log in, so we have to ensure it’s created in order to copy later user level config files into it. We also create an ansible temp directory at this stage to suppress a warning.
I’m not totally sure the home directory creation needs to be done as a separate task, since the temp directory will create all parent folders necessary, but I wrote the first task before I realized I needed the second, and it’s nice to separate out the reasons for each step.
- name: Make sure home directory exists
ansible.builtin.file:
path: "/home/{{ item.user }}"
owner: "{{ item.user }}"
group: "domain users@example.com"
state: directory
mode: '0755'
with_items: "{{ users_dict }}"
- name: Make sure the ansible temp dir exists for each user
ansible.builtin.file:
path: "/home/{{ item.user }}/.ansible/tmp"
owner: "{{ item.user }}"
group: "domain users@example.com"
state: directory
mode: '0700'
with_items: "{{ users_dict }}"
Your value for group
will likely be different, but you get the idea.
Create an entry in /etc/passwd
This is another feature of using domain users. Domain users don’t appear to automatically get an entry in /etc/passwd
that lists things like their default shell. Even though users may have their default shell set to bash
by PAM
or whatever else, VS code doesn’t seem to recognize this without an /etc/passwd
record, which causes it to try and run devcontainers through /bin/sh
, which means your ~/.bashrc
doesn’t get loaded, which causes problems you’ll see in future steps. The TLDR is we want to manually create a record for each user in /etc/passwd
. If you’re not dealing with users managed by AD then you can probably skip all this.
- name: Get lines for /etc/passwd
ansible.builtin.shell: |
getent passwd {{ item.user }} register: getentstask
with_items: "{{ users_dict }}"
changed_when: false
- name: Filter results to just stdout
set_fact:
getents: "{{getentstask.results | map(attribute='stdout')}}"
- name: Make sure there's a line in /etc/passwd
ansible.builtin.lineinfile:
path: /etc/passwd
line: "{{ item }}"
with_items: "{{ getents }}"
This feels a bit weird. In theory running getent passwd <user>
should just be returning exactly what’s in /etc/passwd
for that user to stdout
so taking that result from stdout
and putting it in /etc/passwd
feels a bit circular, but it’s necessary for AD users.
Turn on linger for users
Turning this on allows user level services like rootless docker to persist when the user is not logged in. If we want users to be able to host small apps with docker from their user account for testing without being logged in all the time this is handy
- name: Turn on linger for all users
become: true
ansible.builtin.command:
args:
cmd: "loginctl enable-linger {{ item.user }}"
creates: "/var/lib/systemd/linger/{{ item.user }}"
with_items: "{{ users_dict }}"
Don’t ask me why I used command
here and shell
in the previous one. I should really just use shell
all the time.
Run the installer
- name: Run the rootless docker installer
become: true
become_user: "{{ item.user }}"
ansible.builtin.command:
args:
cmd: dockerd-rootless-setuptool.sh install
creates: "/home/{{ item.user }}/.docker/config.json"
environment:
XDG_RUNTIME_DIR: "/run/user/{{ item.uid }}"
with_items: "{{ users_dict }}"
Note the call to become_user
, that’s important. You can’t run the install script as root and tell it to do it for a specific user, at least I couldn’t figure out how, so we need to actually run this as the user we want. Also note that setting XDG_RUNTIME_DIR
is necessary for successful completion of the install and requires you to know the UID of the user you’re configuring. Failing to set this variable will result in the script still running but the daemon and user service not actually being installed.
Set bashrc to export the docker socket
At this point users have docker installed and should be able to run docker run hello-world
or some other similar test. We do have to take an extra step to get it to work with VS code though, and that’s setting an environment variable that points to the docker socket. This is the part I mentioned above that won’t work if you don’t have your default shell set to bash in /etc/passwd
.
- name: Make sure bashrc exports the docker socket
become: true
become_user: "{{ item.user }}"
ansible.builtin.lineinfile:
path: "/home/{{ item.user }}/.bashrc"
line: "export DOCKER_HOST=unix:///run/user/$(id -u)/docker.sock"
create: true
with_items: "{{ users_dict }}"
Conclusion
Setting up rootless docker for an individual user isn’t a ton of work, but trying to scale that to multiple users on multiple machines begs for automation or else you’re pretty much guaranteed to waste time and make errors. The steps above should help you set up rootless docker for users with ansible.