top | item 20542915

Docker 19.03: Rootless Mode (Experimental)

97 points| UberIsAnnoying | 6 years ago |github.com

43 comments

[+] AdamGibbins|6 years ago|reply

Or we could just ditch Docker for one of the alternatives, like Podman that doesn't need root, nor a daemon.

[+] zufallsheld|6 years ago|reply

Comparing the shortcomings of rootless podman (https://github.com/containers/libpod/blob/master/rootless.md) and rootless docker, they seem almost the same. So this argument may not count, the daemon argument however applies.

[+] paulddraper|6 years ago|reply

Yep. I only half care about rootless. I definitely care about the daemon.

It sucks.

It flies in the face of traditional Linux process management where child processes are child processes.

(Unless you want an init system, where you need a daemon. But docker is a sucky init system.)

Docker breaks even the most basic things.

    $ time docker run some heavy computation

Oh wait, that doesn't work.

[+] coffekaesque|6 years ago|reply

I don't like their idea of what a docker-compose replacement should be. And reading issues and limitations about podman pod commands is very discouraging. I would love to hear what others are using and their experiences though. I avoid anything Kubernetes because of a personal bias.

[+] entropy1111|6 years ago|reply

What are my options to replace Docker Compose? I dont want to introduce a chaotic mess by using kubernetes. Or to dedicate brain power to learn what they changed every week. Their readme really confuses me with podman play, kompose, k8s.

[+] meddlepal|6 years ago|reply

Except that then you lose MacOS and Windows compatibility which is somewhat important to Docker.

[+] Gondolin|6 years ago|reply

Now that systemd-nspawn also has oci support, I wonder if podman/cri-o are going to switch to nspawn rather than runc.

[+] a-ve|6 years ago|reply

To the container wizards: Is it possible to orchestrate lxc containers using kubernetes? I've been looking at lxc containers for a while and really would not like to run Docker as root.

[+] JanMa|6 years ago|reply

Yes it is possible, but not using Kubernetes AFAIK. HashiCorp Nomad [1] has an LXC driver which allows you to orchestrate LXC containers.

[1]: https://www.nomadproject.io/docs/drivers/external/lxc.html

[+] MrBuddyCasino|6 years ago|reply

Someone is working on it, but its still early days: https://github.com/automaticserver/lxe

[+] cyphar|6 years ago|reply

LXD has orchestration support natively, though it's not at all like Kubernetes (you are manually moving containers around and so on).

I have heard that some folks have looked into using LXC under Kubernetes (and theoretically the OCI templates for LXC could possibly make this somewhat work) but there isn't an obvious way to do that today AFAIK. And I'm not convinced (given CNI which touches some deep bits of runc's particular behaviour) it would work with everything you'd want it to.

[+] ohiovr|6 years ago|reply

Docker has supported namespaces for a while now so that even if the user in the container is root it could be a subordinate id on the host with no administrative authority. What is new though?

[+] cyphar|6 years ago|reply

The daemon is running as an unprivileged user. Docker with userns-remap is still running as root (and recent vulnerabilities like CVE-2018-15664 are still a significant worry even if you ran with user namespaces enabled).

[+] techntoke|6 years ago|reply

That still required the daemon run as root. This runs the daemon rootless as well.