Is rootless Docker possible?

[trjate]

Per https://docs.docker.com/engine/security/rootless/, is it possible to run the docker daemon and containers on a bottlerocket host as a non-root user?

[etungsten]

Hi @trjate , Bottlerocket uses containerd as its container runtime and we currently don’t provide an option to run the containerd daemon in rootless-mode. To run containers directly on Bottlerocket, you can try running custome host-containers.

[trjate]

Thanks @etungsten! I guess my point in asking is to try to better understand the implications of running a Docker container as root vs non-root user on Bottlerocket. I assume that running a container as root on Bottlerocket would be "less insecure" than running the same container as root on a traditional distro, but not totally sure. I know everyone says you shouldn't run your containers as root if avoidable, but I haven't ever found any clear explanations with examples as to why.

[etungsten]

You're right that although running container processes as root is more secure on Bottlerocket than it is on a traditional distro (here are some Bottlerocket security features that help with this, i.e. no shell, SElinux enforced), it is still recommended to not run your containers with UID 0 (root). For reasons why, please read our security guidance here: https://github.com/bottlerocket-os/bottlerocket/blob/develop/SECURITY_GUIDANCE.md#do-not-run-containers-as-uid-0.