Create rootless user from root account
sudo adduser rootless
run loginctl enable-linger rootless from root account.
test with ls /var/lib/systemd/linger
then ssh to that instance as newly created rootless account. You need to install rootless docker as rootless account. It will not work if you do
su rootless from root account.
Instead setcap use iptables and forward 80 and 443 to upper ports.
sudo setcap -r /home/rootless/bin/rootlesskit
sudo iptables -t nat -A PREROUTING -i enp1s0 -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A PREROUTING -i enp1s0 -p tcp --dport 443 -j REDIRECT --to-port 8443
#sudo iptables -t nat -I OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
sudo iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080
sudo iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 443 -j REDIRECT --to-ports 8443
# Persist on reboot
sudo iptables -t nat -L -n -v --line-numbers
sudo iptables-save
sudo apt install iptables-persistent
sudo iptables-save > /etc/iptables/rules.v4
#delete iptables rule example
sudo iptables -t nat -L -n -v --line-numbers
sudo iptables -t nat -D OUTPUT 1
sudo apt-get install slirp4netns
This is because Docker with rootless mode uses RootlessKit’s builtin port driver by default.
The source IP addresses can be propagated by creating
nano ~/.config/systemd/user/docker.service.d/override.conf
with the following content:
[Service]
Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns"
Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_MTU=65520"
For MTU check
And then restart the daemon:
systemctl --user daemon-reload
systemctl --user restart docker
RootlessKit provides several drivers for providing network connectivity:
--net=host: use host network namespace (default)--net=slirp4netns: use slirp4netns (recommended)--net=vpnkit: use VPNKit--net=lxc-user-nic: use lxc-user-nic (experimental)Benchmark: iperf3 from the child to the parent (Mar 8, 2020):
DriverMTU=1500MTU=65520slirp4netns1.06 Gbps7.55 Gbpsslirp4netns (with sandbox + seccomp)1.05 Gbps7.21 Gbpsvpnkit0.60 Gbps(Unsupported)lxc-user-nic31.4 Gbps30.9 Gbps(rootful veth)(38.7 Gbps)(40.8 Gbps)
Note that this configuration decreases throughput. See RootlessKit documentation for the benchmark result.
To the ports in the network namespace to the host network namespace, --port-driver needs to be specified.
The default value is none (do not expose ports).
--port-driverThroughputSource IPslirp4netns6.89 GbpsPropagatedsocat (Deprecated)7.80 GbpsAlways 127.0.0.1builtin30.0 GbpsAlways 127.0.0.1
(Benchmark: iperf3 from the parent to the child (Mar 8, 2020))
The builtin driver is fastest, but be aware that the source IP is not propagated and always set to 127.0.0.1.
Notes:
In case of :
docker: Error response from daemon: driver failed programming external connectivity on endpoint traefik (): Error starting userland proxy: error while calling PortManager.AddPort(): reply.Error: map[desc:bad request: add_hostfwd: slirp_add_hostfwd failed].
Restart
systemctl --user daemon-reload
systemctl --user restart docker
docker exits when user logs out.
The systemd unit file is installed as ~/.config/systemd/user/docker.service.
Use systemctl --user to manage the lifecycle of the daemon:
systemctl --user start docker
To launch the daemon on system startup, enable the systemd service and lingering:
systemctl --user enable docker
sudo loginctl enable-linger $(whoami)
Starting Rootless Docker as a systemd-wide service (/etc/systemd/system/docker.service) is not supported, even with the User= directive.
Remarks about directory paths:
The socket path is set to $XDG_RUNTIME_DIR/docker.sock by default.
$XDG_RUNTIME_DIR is typically set to /run/user/$UID.
The data dir is set to ~/.local/share/docker by default. The data dir should not be on NFS. The daemon config dir is set to ~/.config/docker by default. This directory is different from ~/.docker that is used by the client.
Run the Docker daemon as a non-root user (Rootless mode)Run the Docker daemon as a non-root user (Rootless mode)Docker DocumentationGitHub - rootless-containers/rootlesskit: Linux-native “fake root” for implementing rootless containersLinux-native “fake root” for implementing rootless containers - GitHub - rootless-containers/rootlesskit: Linux-native “fake root” for implementing rootless containersGitHubrootless-containersUnset setcap additional capabilities on excutableAn answer to Linux: allowing an user to listen to a port below 1024 specified giving an executable additional permissions using setcap such that the program could bind to ports <1024: setcap ′Unix & Linux Stack Exchangeuser2943160
https://unix.stackexchange.com/a/657714
install docker-compose rootless mode
https://docs.docker.com/engine/install/ubuntu/#set-up-the-repository