1 00:00:01,496 --> 00:00:02,721 ‫Then the last one here is 2 00:00:04,570 --> 00:00:07,363 ‫Docker Rootless, which is a relatively new feature in the 3 00:00:07,487 --> 00:00:10,110 ‫last year that allows you to run the Docker daemon, 4 00:00:10,680 --> 00:00:13,080 ‫the Docker Engine, itself without root. 5 00:00:13,420 --> 00:00:15,631 ‫This doesn't work in every case. 6 00:00:16,020 --> 00:00:18,182 ‫The big gotcha here is that it doesn't 7 00:00:19,930 --> 00:00:22,899 ‫allow custom networking. So, you can't create all these 8 00:00:22,900 --> 00:00:24,909 ‫fancy bridge networks without having root. 9 00:00:24,910 --> 00:00:27,556 ‫In Linux, you need root to mess around with networking 10 00:00:27,630 --> 00:00:28,630 ‫essentially. 11 00:00:30,170 --> 00:00:32,389 ‫As long as you don't need that, if you can get away, maybe 12 00:00:32,390 --> 00:00:35,431 ‫this is something you do in CI, and you just need the CI 13 00:00:36,490 --> 00:00:37,900 ‫worker user. Maybe it's called Jenkins. 14 00:00:37,980 --> 00:00:40,038 ‫You have a Jenkins user and you need it to 15 00:00:40,930 --> 00:00:42,720 ‫run certain things. Then, you 16 00:00:44,380 --> 00:00:46,928 ‫can set up that CI to start the Docker daemon inside 17 00:00:47,560 --> 00:00:50,019 ‫a user's home directory, and then run all of its stuff 18 00:00:50,020 --> 00:00:52,519 ‫there. Then, it can stop Docker and, you know, exit 19 00:00:53,380 --> 00:00:56,341 ‫the process, and you never needed root on that machine. 20 00:00:57,850 --> 00:01:00,940 ‫I don't see a lot of potential for this in production, 21 00:01:01,020 --> 00:01:02,702 ‫but it is possible. 22 00:01:02,880 --> 00:01:04,269 ‫If you don't need any of 23 00:01:05,960 --> 00:01:08,529 ‫the networking capabilities of Docker, or you found another 24 00:01:08,530 --> 00:01:11,200 ‫way, essentially, you can run other commands that create 25 00:01:11,201 --> 00:01:14,092 ‫these networks manually, and you don't depend on Docker for 26 00:01:14,200 --> 00:01:17,021 ‫that. So, if you can deal with that stuff, then there might 27 00:01:17,022 --> 00:01:20,109 ‫be a way for you to have no root at 28 00:01:20,110 --> 00:01:21,270 ‫all even with the Docker daemon. 29 00:01:21,600 --> 00:01:24,609 ‫This is still running as 30 00:01:24,610 --> 00:01:25,999 ‫a systemd process, right? 31 00:01:26,000 --> 00:01:27,960 ‫This still is running in the background. 32 00:01:28,302 --> 00:01:29,734 ‫It's not running in the foreground. 33 00:01:31,250 --> 00:01:32,559 ‫Docker's got a nice script. 34 00:01:32,560 --> 00:01:35,220 ‫It's here at get.docker.com/rootless so 35 00:01:37,120 --> 00:01:39,249 ‫you can essentially just run that script, and if your 36 00:01:39,250 --> 00:01:42,459 ‫system is compatible, it will essentially run Docker as 37 00:01:42,460 --> 00:01:44,240 ‫that user. It'll download it, configure it and 38 00:01:46,030 --> 00:01:47,131 ‫then you can watch a DockerCon session on it. 39 00:01:47,750 --> 00:01:50,053 ‫In fact, on this channel earlier this summer, I 40 00:01:50,860 --> 00:01:53,359 ‫had other Docker Captains on giving demos about how 41 00:01:53,651 --> 00:01:55,758 ‫Rootless works. Also check that out on this 42 00:01:56,650 --> 00:01:59,769 ‫channel. That's my 43 00:01:59,770 --> 00:02:01,250 ‫top 10. Anything after that starts 44 00:02:03,280 --> 00:02:04,760 ‫to get into paid products, or really application 45 00:02:08,229 --> 00:02:10,002 ‫specific tools that aren't necessary in the broad sense of 46 00:02:10,003 --> 00:02:11,003 ‫everybody's security. 47 00:02:11,760 --> 00:02:13,377 ‫I would go down this checklist as 48 00:02:15,460 --> 00:02:18,057 ‫you implement your tooling. This is really production 49 00:02:18,190 --> 00:02:19,190 ‫specific, right. 50 00:02:19,580 --> 00:02:21,042 ‫This isn't a lot of stuff that you'll be running locally 51 00:02:21,043 --> 00:02:24,460 ‫for development. This is about production servers.