Skip to content

Instantly share code, notes, and snippets.

@aKamrani

aKamrani/Docker-Rootless-Security-Enhanced

Last active August 16, 2025 06:55
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save aKamrani/d83d1e103b2da419a219e47d7d92ecbe to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save aKamrani/d83d1e103b2da419a219e47d7d92ecbe to your computer and use it in GitHub Desktop.
Download ZIP
Docker Rootless (Security Enhanced Mode)
Raw
Docker-Rootless-Security-Enhanced
Docker Rootless Install (Security Enhanced Mode)
In this installation we have two security enhancements:
1- create two dedicated partitions for docker data and volume containers
2- use a indirect user to access docker container managements
[ Read Comments ]
@aKamrani
Copy link
Author

aKamrani commented Aug 16, 2025
edited
Loading

Extra Content (just for fast install)

After partitioning script:
** Use this script to install docker rootless only after finished partitions creating and formating **

#bin/bash



adduser appuser
usermod -aG sudo appuser
su appuser
mkdir /home/appuser/bin
mkdir -p /home/appuser/.config/docker




sudo modprobe overlay permit_mounts_in_userns=1
su appuser 
echo '{"storage-driver": "fuse-overlayfs", "data-root": "/data"}' >> ~/.config/docker/daemon.json
sudo systemctl disable --now docker.service docker.socket

echo 'export PATH=/usr/bin:$PATH' >> ~/.bashrc
echo 'export DOCKER_HOST=unix:///run/user/$(id -u)/docker.sock' >> ~/.bashrc
echo 'export XDG_RUNTIME_DIR=/run/user/$(id -u)' >> ~/.bashrc
echo 'export DBUS_SESSION_BUS_ADDRESS="unix:path=${XDG_RUNTIME_DIR}/bus"' >> ~/.bashrc

echo 'Cmnd_Alias DOCKER = /bin/docker' | sudo tee -a /etc/sudoers
echo '%service ALL=(appuser) DOCKER' | sudo tee -a /etc/sudoers
echo 'Defaults env_keep += "DOCKER_HOST"' | sudo tee -a /etc/sudoers


loginctl enable-linger appuser

mkdir -p ~/.config/systemd/user/docker.service.d 
echo '[Service]' > ~/.config/systemd/user/docker.service.d/override.conf
echo Environment=\"DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns\" >> ~/.config/systemd/user/docker.service.d/override.conf
echo Environment=\"DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns\" >> ~/.config/systemd/user/docker.service.d/override.conf

export XDG_RUNTIME_DIR="/run/user/$(id -u)"

dockerd-rootless-setuptool.sh install

systemctl --user daemon-reload
systemctl --user start docker
systemctl --user enable docker

echo "net.ipv4.ip _unprivileged_port_start=0" | sudo tee /etc/sysctl.d/50-rootless-docker.conf 
sudo sysctl --system

USER_ID=$(id -u)
sudo echo "alias docker='sudo -u appuser DOCKER_HOST=unix:///run/user/$USER_ID/docker.sock docker'" > /etc/bash.bashrc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment