Setting up Alpine Linux with Rootless Docker

As of Docker Engine v20.10, it’s possible to run the Docker daemon as a non-root user (Rooless mode). This is especially valuable in view of security aspects. Rootless mode mitigates potential vulnerabilities in the Docker daemon.

However, at the time of writing, setting up Docker in rootless mode is not straightforward if you’re using Alpine Linux as your host system. This is why I summarized the steps to get Docket Rootless up and running on Alpine Linux.

Download and install Alpine

First, we’ll download the Alpine Linux ISO image and install the OS. We’ll then enable the community repository as it contains packages we’ll need to set up Docker in non-root mode.

1. Get Alpine Linux ISO from: https://www.alpinelinux.org/downloads/
2. Boot system from ISO and run:

   # setup-alpine
   

3. Reboot and install the nano edit:

   # apk add nano
   

4. Enable community repository in the following file:

   # nano /etc/apk/repositories
   

5. Update the index of available package:

   # apk update
   

Add a user and allow her to use doas

If you did not create a regular user account during the installation, it’s time to do it now:

1. Install doas:

   # apk add doas
   

2. Create user and add it to the wheel group in order to use root privileges:

   # adduser <USER> wheel
   

3. Allow users in group wheel to use doas by editing the file /etc/doas.d/doas.conf and adding the following line:

   permit persist :wheel
   

4. Log out and log in to the new account.

Install Docker Rootless

1. Install newuidmap, newgidmap, fuse-overlayfs and iproute2 tools, all required by Rootless Docker:

   # apk add shadow-uidmap fuse-overlayfs iproute2
   

2. Enable cgroups v2 by editing /etc/rc.conf and setting rc_cgroup_mode to unified.
3. Enable the cgroups service:

   # rc-update add cgroups && rc-service cgroups start
   

4. Allow your user to access Podman in rootless mode:

   # modprobe tun
   # echo tun >>/etc/modules
   # echo <USER>:100000:65536 >/etc/subuid
   # echo <USER>:100000:65536 >/etc/subgid
   

5. Install Docker and Docker Compose v2:

   # apk add docker docker-cli-compose
   

6. Allow Docker access for your user:

   # addgroup <USER> docker
   

7. Enable the iptables module:

   # echo "ip_tables" >> /etc/modules
   # modprobe ip_tables
   

8. Install Docker rootless:

   $ curl -fsSL https://get.docker.com/rootless | sh
   

9. Create an init script in /etc/init.d/docker-rootless:

   #!/sbin/openrc-run
   
   name=$RC_SVCNAME
   description="Docker Application Container Engine (Rootless)"
   supervisor="supervise-daemon"
   command="/home/<USER>/bin/dockerd-rootless.sh"
   command_args=""
   command_user="<USER>"
   supervise_daemon_args=" -e PATH=\"/home/<USER>/bin:/sbin:/usr/sbin:$PATH\" -e HOME=\"/home/<USER>\" -e XDG_RUNTIME_DIR=\"/home/<USER>/.docker/run\""
   
   reload() {
       ebegin "Reloading $RC_SVCNAME"
       /bin/kill -s HUP \$MAINPID
       eend $?
   }
   

10. Make the created init script executable, add it to the default runlevel and start it:

    # chmod +x /etc/init.d/docker-rootless
    # rc-update add docker-rootless
    # rc-service docker-rootless start
    

11. Create a .profile file in your home directory with the following contents:

    export XDG_RUNTIME_DIR="$HOME/.docker/run"
    export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock
    export PATH="/home/<USER>/bin:/sbin:/usr/sbin:$PATH"
    

12. Log out and log in again.
13. Check if Docker Rootless works:

    $ docker ps
    $ docker run --rm hello-world
    

Allow ports < 1024 (optional)

By default, only ports >= 1024 can be exposed by non-root users. To change this, change the minimum unprivileged port in /etc/sysctl.conf:

# echo "net.ipv4.ip_unprivileged_port_start=80" >> /etc/sysctl.conf