alpine linux with rootless docker
# nano /etc/apk/repositories (enable community repo)
# apk add doas
# adduser <USER> wheel
# nano /etc/doas.d/doas.conf (check if permit persist :wheel)
# apk add shadow-uidmap fuse-overlayfs iproute2
# nano /etc/rc.conf (uncomment rc_group_mode and set to unified)
# rc-update add cgroups && rc-service cgroups start
# modprobe tun
# echo tun >>/etc/modules
# echo <USER>:100000:65536 >/etc/subuid
# echo <USER>:100000:65536 >/etc/subgid
# apk add docker docker-cli-compose
# addgroup <USER> docker
# echo "ip_tables" >> /etc/modules
# modprobe ip_tables
# curl -fsSL https://get.docker.com/rootless | sh
create an init script in /etc/init.d/docker-rootless:
#!/sbin/openrc-run
name=$RC_SVCNAME
description="Docker Application Container Engine (Rootless)"
supervisor="supervise-daemon"
command="/home/<USER>/bin/dockerd-rootless.sh"
command_args=""
command_user="<USER>"
supervise_daemon_args=" -e PATH=\"/home/<USER>/bin:/sbin:/usr/sbin:$PATH\" -e HOME=\"/home/<USER>\" -e XDG_RUNTIME_DIR=\"/home/<USER>/.docker/run\""
reload() {
ebegin "Reloading $RC_SVCNAME"
/bin/kill -s HUP \$MAINPID
eend $?
}
make the created init script executable, add it to the default runlevel and start it:
# chmod +x /etc/init.d/docker-rootless
# rc-update add docker-rootless
# rc-service docker-rootless start
create a .profile file in your home directory with the following contents:
export XDG_RUNTIME_DIR="$HOME/.docker/run"
export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock
export PATH="/home/<USER>/bin:/sbin:/usr/sbin:$PATH"
log out and log in again.
check if Docker Rootless works:
# docker ps
# docker run --rm hello-world
allow ports < 1024 (optional)
by default, only ports >= 1024 can be exposed by non-root users. to change this, change the minimum unprivileged port in /etc/sysctl.conf:
# echo "net.ipv4.ip_unprivileged_port_start=80" >> /etc/sysctl.conf
