Run Docker and Compose as Non-Root Without Sudo on Ubuntu
Posted March 9, 2024
Are you looking to run your Docker and Docker Compose containers as Non-Root and Without sudo? This guide is for you. You will how to get Docker ready within Ubuntu 20.04|22.04/Debian to install a Docker Engine that won’t use sudo and run your containers as Non-Root.
You have to type sudo before every Docker command you run. This means Non-root users can’t manage Docker resources. A Non-root Docker setup will elevate root privileges. This way, you will use and Docker Compose commands without relying on Ubuntu-wide privileges.
Now, with Docker, you have two ways to use Non-root users without sudo:
- Add your user to the Docker group. Your Ubuntu server will permit your user to run Docker commands without sudo.
- Install Docker as Rootless
You will learn to install Docker as Non-Root Without Sudo on Ubuntu 20.04|22.04 based on the above two methods.
Prerequisites
To get Docker ready and use it as Non-Root Without Sudo, Docker Engine must be installed in your Ubuntu server. If you don’t have it ready, check the next steps to install and run Docker, Docker Compose, and related Doker Ubuntu packages.
Related: Install Rootless Docker Kit and Run Rootless Container Mode
Step 1: Getting Docker Ready as Non-Root Without Sudo
Now, let’s get Docker running. I will use Ubuntu commands to set it up. These steps should work for Ubuntu 20.04|22.04 LTS.
- Ensure Ubuntu has the latest package index:
sudo apt update
sudo apt upgrade -y
- Run the following command to install Docker Ubuntu-related dependencies:
sudo apt install software-properties-common ca-certificates apt-transport-https curl
Go ahead and create a secure Docker Ubuntu GPG key for signing the Docker repository to APT sources:
# Create key file
sudo mkdir -p /etc/apt/keyrings
# Generate the key to this directory
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
# Add permissions to this directory
sudo chmod a+r /etc/apt/keyrings/docker.gpg
- Next, use the following command to add a GPG-signed Docker repository to Ubuntu APT sources:
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
If you go to /etc/apt/sources.list.d, the added Docker repo should be available:
ubuntu@:~$ cd /etc/apt/sources.list.d
ubuntu@:/etc/apt/sources.list.d$ ls
docker.list
- To ensure this repo is secure and
aptcan validate the Docker packages you will install, update the package index letting Ubuntu know you have an existing Docker package in your system and make them secure:
sudo apt update
- Finally, install the Docker packages for the above repo. I will use the latest Docker version packages. Remember to include Docker Compose if you need it:
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
You need to run the following command to make sure Docker is ready:
ubuntu@:~$ sudo docker --version
Docker version 25.0.4, build 1a576c5
ubuntu@:~$ docker compose version
Docker Compose version v2.24.7
At the same time, Docker must be up and running. Confirm so:
sudo systemctl status docker
Step 2: Running the Dockers Command Without Sudo on Ubuntu
At this point, if you run a docker command without sudo, you will get a permission error. For example:
ubuntu@:~$ docker ps
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.44/containers/json": dial unix /var/run/docker.sock: connect: permission denied
This means you must use Docker with sudo. Let’s explore the first example we can Run Docker and Compose as Non-Root Without Sudo on Ubuntu.
When installing Docker, Ubuntu creates a docker Docker group. This group executes Docker commands without sudo.
If you run the sudo groupadd docker command the Docker should exist in your system.
ubuntu@:~$ sudo groupadd docker
groupadd: group 'docker' already exists
Add your current user to the Docker Group. This way, Ubuntu will grant your user permissions to run Docker commands without sudo:
sudo usermod -aG docker $USER
You must now restart your machine for this change to work.
I used the following command to test if I can now run Docker and Docker Compose commands without sudo:
docker run hello-world
The Docker Command is working without sudo as such:
For the Docker Compose command test, check the version, but this time without sudo:
docker compose --version
If you want to revert this user Group and use sudo privileges, you will remove a user from the Docker group by running the following command:
sudo gpasswd -d $USER docker
ubuntu@:~$ sudo gpasswd -d $USER docker
Removing user ubuntu from group docker
Reboot Ubuntu to log out of your current session and go back to sudo. My docker commands shouldn’t work without sudo going forward:
ubuntu@:~$ docker run hello-world
docker: permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Head "http://%2Fvar%2Frun%2Fdocker.sock/_ping": dial unix /var/run/docker.sock: connect: permission denied.
Step 3: Running Docker and Compose as Non-Root and Without Sudo
Up to this point, you can use Docker Without sudo. However, this Docker setup up not installed as a Non-Root User. Non-root in a rootless mode.
This means you are installing Docker containers without root privileges. To get this level of privileges, Docker must run on Rootless Mode.
Once you Start Docker Daemon in Rootless Mode, the whole Docker engine will run as Non-root and you won’t need to use Sudo with Docker.
To set a Non-root Docker Engine, ensure you have stopped the running Docker Ubuntu instance:
sudo systemctl disable --now docker.service docker.socket
This command will stop the Docker service and socket using systemctl. This way, you will remove the Docker privileges and systemd target directories:
ubuntu@:~$ sudo systemctl disable --now docker.service docker.socket
Synchronizing state of docker.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable docker
Removed /etc/systemd/system/multi-user.target.wants/docker.service.
Removed /etc/systemd/system/sockets.target.wants/docker.socket.
Docker Rootless mode uses a user namespace. In such a case the Docker Daemon itself is running with root privileges, whereas in rootless mode.
This means Docker commands and any container are running without root privileges. This is what Docker refers to as Non-root, a Rootless Docker setup. Check this guide for more Docker Rootless mode context
Now, run the following command and covert Docker to Non-root. But first, newuidmap and newgidmap binaries for managing user namespace must be installed:
sudo apt-get install -y uidmap
dockerd-rootless-setuptool.sh install
The above command will only work if you have rootlesskit in your /usr/bin packages.
The following command will work without the rootlesskit package available in the /usr/bin. The same command works even if you have a rootlesskit package available:
curl -fsSL https://get.docker.com/rootless | sh
You will need to add rootless Docker environment variables. Copy these export commands and run them or add them to ~/.bashrc
Step 4: Running Docker and Docker Compose Command as Non-root
Use the user namespace to ensure Docker is now running as rootless:
systemctl --user start docker
systemctl --user enable docker
systemctl --user status docker
The Docker should be running in a rootless Non-root context:
Let’s test if this Docker Non-root is ready. I will run a container without sudo as follows:
docker run --name mynginx -d -p 80:80 nginx
However, you will have the following error:
docker: Error response from daemon: driver failed programming external connectivity on endpoint mynginx (67574850180ed0a938d30305a61e5646f770da39e75427701f6a4fbc6c20189d): Error starting userland proxy: error while calling PortManager.AddPort(): cannot expose privileged port 80, you can add 'net.ipv4.ip_unprivileged_port_start=80' to /etc/sysctl.conf (currently 1024), or set CAP_NET_BIND_SERVICE on rootlesskit binary, or choose a larger port number (>= 1024): listen tcp4 0.0.0.0:80: bind: permission denied.
This means you can’t cannot expose privileged port 80 when using Docker as a Non-root
The command would have worked if you used ports above 1024.
When using the Docker Non-root rootless method, you will have some limitations. You won’t be able to run any Docker container and expose any privileged ports (ports above 1024).
Use the following command to have such privileges added to Docker:
sudo setcap cap_net_bind_service=ep $(which rootlesskit)
# Restart to apply changes
systemctl --user restart docker
Now rerun your container with port 80 and use the following command to check if it is running:
docker ps
Step 5: Uninstalling Docker Rootless Non-root Context on Ubuntu
If you don’t want to use Non-root Docker mode, you will need to Uninstall Docker Rootless packages. You won’t be able to use Docker without sudo and Non-root after this:
dockerd-rootless-setuptool.sh uninstall
This command won’t remove Docker. It will only switch Docker from Non-root to default:
The above uninstall command does NOT remove Docker binaries and data. You will run the above-highlighted command to remove Rootless PATH and DOCKER_HOST.
Now, you will be able to access Docker with sudo and systemctl. Run these commands to start Docker and check the status:
sudo systemctl start docker
sudo systemctl status docker
Docker is now set to default and use sudo. Non-root Docker command can’t work anymore.
Conclusion
I hope you can now use Docker and Docker Compose commands with Non-root users and without sudo. You have learned:
- Running the Docker Commands Without Sudo on Ubuntu.
- Running Docker and Docker Compose Command as Non-root.
- Uninstalling Commands Without Sudo and Non-root to use the default Docker Engine.
Written By:
