Building a Rootless Docker

Motivation

I have been using singularity containers instead of docker. the reason I have avoided using docker is that it requires root privileges to launch containers. I don’t have to worry about it because I’m running it at home.

I forgot the reason why, but I found out that docker has a rootless mode that allows you to run docker in normal user mode, so I decided to give it a try this time.

Sources

Sorry for the Japanese page.

• docker documentation page
• page referred to during installation

Assumptions

Since docker is already installed in my environment, it is assumed that docker itself and nvidia-docker2 are already installed. In other words, if you are already using docker (with rootfull), please refer to this page as a procedure to use docker with rootless.

Preparation

First, stop the current (rootfull) docker daemon.

$ sudo systemctl disable --now docker.service docker.socket

Next, install the required packages.

$ sudo apt install uidmap

In my environment, subuid and subgid were already set as follows: myuid and mygid are my UID/GID.

$ cat /etc/subuid
myuid:100000:65536
$ cat /etc/subgid
mygid:100000:65536

Change no-cgroups=true in /etc/nvidia-container-runtime/config.toml. (originally #no-cgroups=false)

If you forget to make this change, you will get the following error when using a GPU.

$ docker run --rm --gpus all nvidia/cuda:11.6.2-base-ubuntu20.04 nvidia-smi
(Omitted in the middle)
docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error running hook #0: error running hook: exit status 1, stdout: , stderr: Auto-detected mode as 'legacy
nvidia-container-cli: mount error: failed to add device rules: open /sys/fs/cgroup/devices/user.slice/devices.allow: permission denied: unknown unknown.

Running and configuring scripts

First, run the shell script to set rootless mode.

$ dockerd-rootless-setuptool.sh instal

After the above script execution is finished, you will see that docker.service is started as your user when you run the following.

$ systemctl --user status docker
(output is abbreviated)

Finally, add the following to the end of the .bashrc.

export DOCKER_HOST=unix://${XDG_RUNTIME_DIR}/docker.sock

In case you are wondering, XDG_RUN_TIME_DIR is set as follows.

$ echo $XDG_RUNTIME_DIR
/run/user/1000

Confirmation of operation

$ dokcer run hello-world
(output is abbreviated)

For containers that use GPUs, check with the following.

$ docker run --rm --gpus all nvidia/cuda:11.6.2-base-ubuntu20.04 nvidia-smi
(output is abbreviated)

Summary

Setting up rootless is relatively easy if you remember to change /etc/nvidia-container-runtime/config.toml. Actually, I forgot to change it and was a bit impatient.

From now on, I would like to use docker.

Translated with www.DeepL.com/Translator (free version)