Rootless mode allows running the Docker daemon and containers as a non-root user to mitigate potential vulnerabilities in the docker daemon and the container runtime.
Rootless mode does not require root privileges even during the installation of the Docker daemon, as long as a set of prerequisites are met.
This KB article will guide you through the process of installing and using rootless Docker and allow non-root users to run Docker instances and build custom Docker images.
The following steps has been tested on BCM10 with Ubuntu 22.04
1. Clone the current software image:
cmsh softwareimage clone default-image rootless-image commit
2. Install uidmap and dbus-user-session into the rootless-image
cm-chroot /cm/images/rootless-image/ apt update && apt install uidmap systemd-container -y
3. Add the users who are allowed to run rootless docker into /etc/subuid and /etc/subgid (In this example, we are using the user “cmsupport”)
cm-chroot /cm/images/rootless-image/ echo "cmsupport:100000:65536" >> /etc/subuid echo "cmsupport:100000:65536" >> /etc/subgid
4. Set the new software image to the nodes’ category
cmsh category use dgx set setfowareimage rootless-image commit
5. Reboot the compute nodes
6. Start docker as a user
NOTE: ssh into the compute node as a regular user
cmsupport@node001:~$ wget https://get.docker.com/rootless cmsupport@node001:~$ chmod 755 rootless cmsupport@node001:~$ ./rootless [...] [INFO] Creating /var/tmp/cmsupport/.config/systemd/user/docker.service [INFO] starting systemd service docker.service + systemctl --user start docker.service + sleep 3 + systemctl --user --no-pager --full status docker.service docker.service - Docker Application Container Engine (Rootless) Loaded: loaded (/var/tmp/cmsupport/.config/systemd/user/docker.service; disabled; vendor preset: enabled) Active: active (running) since Thu 2024-12-05 17:18:16 CET; 3s ago Docs: https://docs.docker.com/go/rootless/ Main PID: 3882 (rootlesskit) Tasks: 37 Memory: 39.1M [...] reated symlink /var/tmp/cmsupport/.config/systemd/user/default.target.wants/docker.service → /var/tmp/cmsupport/.config/systemd/user/docker.service. [INFO] Installed docker.service successfully. [INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service` [INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger cmsupport` [INFO] Creating CLI context "rootless" Successfully created context "rootless" [INFO] Using CLI context "rootless" Current context is now "rootless" [INFO] Make sure the following environment variable(s) are set (or add them to ~/.bashrc): export PATH=/var/tmp/cmsupport/bin:$PATH [INFO] Some applications may require the following environment variable too: export DOCKER_HOST=unix:///run/user/1000/docker.sock
7. Add the following lines in the .bashrc of the user’s home directory
export PATH=/home/cmsupport/bin:$PATH export DOCKER_HOST=unix:///run/user/1000/docker.sock export DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
8. Source .bashrc (or logout then log back in)
cmsupport@node001:~$ . .bashrc
9. In case the $HOME is on an NFS or Lustre, then change the “Docker Root Dir” to be outside of the NFS on a local drive:
cmsupport@node001:~$ docker info | grep Root Docker Root Dir: /home/cmsupport cmsupport@node001:~$ mkdir ~/.config/docker cmsupport@node001:~$ cat ~/.config/docker/daemon.json { "data-root": "/var/tmp/cmsupport" }
10. Stop/start docker in the user session to make sure that the changes in step 9 are reflected:
cmsupport@node001:~$ systemctl --user stop docker cmsupport@node001:~$ systemctl --user start docker
11. Try to build the an image
cmsupport@node001:~$ git clone https://github.com/docker/getting-started-todo-app cmsupport@node001:~$ cd getting-started-todo-app/ cmsupport@node001:~/getting-started-todo-app$ docker build . [...] 20: Pulling from library/node fdf894e782a2: Pull complete 5bd71677db44: Pull complete 551df7f94f9c: Pull complete ce82e98d553d: Pull complete 28c7f8675398: Pull complete cd36ddf19b49: Pull complete 24f32f277913: Pull complete 5dd152761f34: Pull complete [...]
12. Check the images
cmsupport@node001:~/getting-started-todo-app$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE <none> <none> 58140c7bda64 5 seconds ago 1.1GB node 20 6a5391c597b0 2 weeks ago 1.1GB
13. Using rootless docker with Slurm
13.1 allocate a node using salloc
cmsupport@b100-u2204-12-06:~$ salloc -N 1 -w node001
13.2 ssh into the allocated node
cmsupport@b100-u2204-12-06:~$ ssh node001
13.3 check if rootless docker is working
cmsupport@node001:~$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE <none> <none> 32c436dc077a 2 minutes ago 1.1GB node 20 6a5391c597b0 2 weeks ago 1.1GB