Rootless Containers Edit this page

Rootless Containers

Rootless containers refers to the ability for an unprivileged user to create, run and otherwise manage containers. This term also includes the variety of tooling around containers that can also be run as an unprivileged user.

“Unprivileged user” in this context refers to a user who does not have any administrative rights, and is “not in the good graces of the administrator” (in other words, they do not have the ability to ask for more privileges to be granted to them, or for software packages to be installed).

Pros:

  • Can mitigate potential container-breakout vulnerabilities (Not a panacea, of course)
  • Friendly to shared machines, especially in HPC environments

Cons:

  • Complexity

See also Caveats and Future work.

What are Rootless Containers and what are not?

When we say Rootless Containers, it means running the entire container runtime as well as the containers without the root privileges.

Even when the containers are running as non-root users, when the runtime is still running as the root, we don’t call them Rootless Containers.

While we allow using SETUID (and/or SETCAP) binaries for some of essential configurations such as newuidmap, when the entire runtime is running with SETUID, we don’t call it Rootless Containers.

Examples of Rootless Containers

Click the links for tutorials.

Non-examples of Rootless Containers

  • Allowing a non-root user to access to /var/run/docker.sock, by adding the user to docker group (sudo usermod -aG docker somebody)
  • docker run --user somebody
  • Docker userns-remap mode (dockerd --userns-remap)
  • Podman userns-remap mode (podman run --uidmap)
  • Kaniko
  • Makisu
  • LXD unprivileged-mode
  • Singularity SETUID-mode