traefik rootless / docker and portainer ?

[ThierryIT]

Hello,
I have been rebuilding a new Ubuntu server, but this time, the docker and all others dockers and portainer-ce will run in rootless mode (I hope).
It is today working for the Portainer docker only. I cannot build any stack yet, still this error message failed to deploy a stack: Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

When checking my Traefik config file and reading your post concerning this special mode, if I understood well, Traefik will run in rootless mode when your proxy will need root to run.

The "rootless" socket PATH is today: /run/user/1000/docker.sock .

My proxy config for Traefik v3.0

dockerproxy: image: wollomatic/socket-proxy:1.3.1 container_name: t-docker-socket-proxy command: - '-loglevel=info' - '-allowfrom=traefik' - '-listenip=0.0.0.0' - '-allowGET=/v1\..{1,2}/(version|containers/.*|events.*)' - '-watchdoginterval=3600' - '-stoponwatchdog' - '-shutdowngracetime=10' restart: unless-stopped read_only: true mem_limit: 64M cap_drop: - ALL security_opt: - no-new-privileges user: 65534:1000 # change gid from 998 to the gid of the docker group on your host volumes: - /run/user/1000/docker.sock:/var/run/docker.sock:ro networks: - socket-t networks: socket-t: driver: bridge internal: true attachable: false

[crazytimmy]

I'm also having an issue with a rootless docker install I'm playing with. Seems to be a permissions issue but maybe I'm doing something wrong in my compose file. @wollomatic do you have any experience with running rootless docker?

I was able to run tecnativa/docker-socket-proxy without these errors.

I've tried adding user: 65534:1001 as in your documentation and also 1001:1001 with no luck.

Error: msg="socket not available" error="dial unix /var/run/docker.sock: connect: permission denied"

This is what I got:

compose.yaml

services:
  socket-proxy:
    image: wollomatic/socket-proxy:1.5.4
    container_name: socket-proxy
    command:
      - '-loglevel=debug'
      - '-allowGET=.*'
      - '-allowHEAD=.*'
      - '-allowPOST=.*'
      - '-allowPUT=.*'
      - '-allowPATCH=.*'
      - '-allowDELETE=.*'
      - '-allowCONNECT=.*'
      - '-allowTRACE=.*'
      - '-allowOPTIONS=.*'
    volumes:
      - ${SOCKET_PATH}:/var/run/docker.sock:ro

docker compose --env-file up

[+] Running 1/1
 ✔ Container socket-proxy  Recreated                                                                               0.2s
Attaching to socket-proxy
socket-proxy  | time=2025-02-09T23:59:03.414Z level=INFO msg="starting socket-proxy" version=1.5.4 os=linux arch=amd64 runtime=go1.23.5 URL=github.com/wollomatic/socket-proxy
socket-proxy  | time=2025-02-09T23:59:03.414Z level=INFO msg="configuration info" socketpath=/var/run/docker.sock listenaddress=127.0.0.1:2375 loglevel=DEBUG logjson=false allowfrom=127.0.0.1/32 shutdowngracetime=10
socket-proxy  | time=2025-02-09T23:59:03.414Z level=INFO msg="watchdog disabled"
socket-proxy  | Request allowlist:
socket-proxy  |    Method   Regex
socket-proxy  |    OPTIONS  ^.*$
socket-proxy  |    POST     ^.*$
socket-proxy  |    PUT      ^.*$
socket-proxy  |    PATCH    ^.*$
socket-proxy  |    CONNECT  ^.*$
socket-proxy  |    TRACE    ^.*$
socket-proxy  |    GET      ^.*$
socket-proxy  |    HEAD     ^.*$
socket-proxy  |    DELETE   ^.*$
socket-proxy  | time=2025-02-09T23:59:03.414Z level=DEBUG msg="checking socket availability" origin=checkSocketAvailability
socket-proxy  | time=2025-02-09T23:59:03.414Z level=ERROR msg="socket not available" error="dial unix /var/run/docker.sock: connect: permission denied"
socket-proxy exited with code 2

[wollomatic]

Hi @crazytimmy,

Thanks for reaching out.

I haven't used Docker rootless for several reasons, but here are some thoughts:

The reason tecnativa/docker-socket-proxy works is that it runs with root privileges by default. You can achieve the same behaviour with socket-proxy by setting user: 0:0. However, even though other proxies do this, I wouldn't recommend it because it's not the best security practice.

What are the owner and group of the Docker socket? Which file permissions are set?

Best regards,
Wolfgang

[crazytimmy]

@wollomatic thanks for taking the time to respond. I figured it out and most definitely had to do with my lack of knowledge in Docker and some assumptions I made.

Quick answer is I got it working by... following your instructions (shocker I know). I had to run my compose with user: 65534:996 as 996 is the GID of my docker group. I assumed since I'm running rootless and my failed attempt to find the docker group came up empty that I needed to use my user's GID of 1001 since that's what my docker.sock should be running as.

If you know why and have the time to help me understand why the docker GID is needed I would appreciate and try hard to understand it more.
Also, another question I would have is why setting env variable: - SP_SOCKETPATH=${SOCKET_PATH} results in an error: error="dial unix /run/user/1001/docker.sock: connect: no such file or directory" whether or not I specify the socket volume config.? Without the env variable it works.

Here are the permissions you were asking for:

ls -la /run/user/1001/docker.sock
srw-rw---T 1 jeff 166531 0 Feb  7 14:07 /run/user/1001/docker.sock

For anyone else stuck on this run:

cat /etc/group
...
docker:x:996:

where 996 is your docker's group id (GID)

For completion sake here's my compose.yaml used for testing:

services:
  socket-proxy:
    image: wollomatic/socket-proxy:1.5.4
    container_name: socket-proxy
    environment:
      - TZ=${TIMEZONE}
      - SP_LOGLEVEL=DEBUG
      - SP_LISTENIP=0.0.0.0
      - SP_ALLOWFROM=portainer
      - SP_WATCHDOGINTERVAL=3600
      - SP_STOPONWATCHDOG=true
      - SP_SHUTDOWNGRACETIME=5
      #Rules:
      - SP_ALLOW_GET=.*
      - SP_ALLOW_HEAD=.*
      - SP_ALLOW_POST=.*
      - SP_ALLOW_PUT=.*
      - SP_ALLOW_PATCH=.*
      - SP_ALLOW_DELETE=.*
      - SP_ALLOW_CONNECT=.*
      - SP_ALLOW_TRACE=.*
      - SP_ALLOW_OPTIONS=.*
    user: 65534:996
    networks:
      - portainer-socket-proxy-net
    volumes:
      - ${SOCKET_PATH}:/var/run/docker.sock:ro

networks:
  portainer-socket-proxy-net:
    name: portainer-socket-proxy-net

SOCKET_PATH maps to: /run/user/1001/docker.sock where 1001 is my UID

[wollomatic]

Hi @crazytimmy, thanks for the feedback and the detailed information.

I'll start with the second question:

why setting env variable: - SP_SOCKETPATH=${SOCKET_PATH} results in an error: error="dial unix /run/user/1001/docker.sock: connect: no such file or directory" whether or not I specify the socket volume config.? Without the env variable it works.

That's because of this:

    volumes:
      - ${SOCKET_PATH}:/var/run/docker.sock:ro

You're mounting the (external) file from ${SOCKET_PATH} inside the container to /var/run/docker.sock. Because /var/run/docker.sock inside the container is the default location where socket-proxy tries to connect to the socket. However, if you explicitly set SP_SOCKETPATH to ${SOCKET_PATH}, socket-proxy cannot find the socket, because it's still mounted to /var/run/docker.sock inside the container.

---

The other question is complex without knowing the full configuration, but it likely involves user namespace mapping. Even though the Docker socket has a GID of 166531 on the host, the container's user namespace maps the container's GID 996 to the host's docker group. This mapping allows the container to access the Docker socket as if it were a member of the docker group on the host, enabling the necessary permissions for communication with the Docker daemon.

[crazytimmy]

@wollomatic thanks for the quick response and comments. I think I understand what you're saying. I ran another test with
- SP_SOCKETPATH=${SOCKET_PATH}
and

volumes:
      - ${SOCKET_PATH}:${SOCKET_PATH}

It worked. I guess I thought setting the - SP_SOCKETPATH=${SOCKET_PATH} by itself would not require the volume to also be mounted.

Take care.