Having just fought it, Docker rootless is a pain to set up and feels like a hack; it's not the default behavior, requires a lot of additional setup to get it working, behaves differently than rootful docker, and lastly most documentation assumes you're using rootful docker because it's been the only way for years.
The fundamental architecture of docker makes rootless awkward but the company needs to compete with podman now which is architected to fix many of Dockers deficiencies while maintaining it's many strengths.
Docker has been a great tool but running as root has always bothered me. I'm glad they're evolving but it feels a little too late and the migration to rootless, as far as I'm concerned, is not simple. Currently I'm investigating migrating my homelab and development efforts to podman.
The idea that Podman is "more secure" than Docker is hyperbole. As documented in Arch Linux [0]...
"Podman relies on the unprivileged user namespace usage (CONFIG_USER_NS_UNPRIVILEGED) which has some serious security implications..."
A lot of hype around Podman on HN this week (two FP conversations regarding, but nothing "new" with Podman). Seems to be an intentional push to get people talking about it for not much of an apparent reason.
I just found out about Docker's rootless mode in an HN thread the other day. The docs make it seem simple, with few meaningful limitations. Really interested to hear some more about the additional setup you needed to do, and what behavioural differences you've encountered?
They recommend using Ubuntu. And they are not joking. Just click on the other distros to see the amount of hoops you have to jump through. You can't even get overlay2, which offers the best filesystem performance. Not to mention the benchmarks I've seen have slirp4netns at about ~3% of the performance of root veth. I would consider both of those incredibly meaningful limitations. You have to use sysctl/setcap to get ping working, to bind to ports <1024, muck with systemd to get user processes starting at boot, etc. etc.
It's a tough sell when you can just install root Docker with a single package command and never have to worry about a bunch of caveats that might just break or change on the next release.
It's not that big a deal doing it from scratch, but most users of Docker were already using it and have it setup to run as root. Undoing that is not trivial, definitely not as simple as just uninstalling and reinstalling rootless. You have to nuke your existing containers, images, and volumes, and depending on the package manager, it's not always obvious if uninstalling Docker will undo all the networking and user configuration changes it makes. Just out of curiosity, I uninstalled it on Arch right now and it didn't get rid of the docker0 virtual bridge device, it didn't remove the iptables rules, /var/lib/docker is still there with everything in it. The docker socket is still there, but I'm guessing that would go away if I rebooted, assuming the systemd unit creates that on login.
Extra packages/steps/incantations that to be performed/installed, introduction of a docker context mechanism that requires understanding, lingering inconsistencies with external filesystem mounting as root owner, incompatibility with most existing docker scripts and compose scripts, confusion on how to get back to root mode, etc.
It just didn't feel like a turn key solution. I have no idea how this would work in CI/CD systems though docker doesn't always need to be as secure there. Docker is a great tool but, like a lot of tech, in the mad rush to market, security was an afterthought and nowhere has it felt more clearly to me than in rootless mode.
I do not agree that the architecture makes it difficult to do . The main issue is you have to start the daemon. Systemd can at least manage this for you as an unprivileged user.
That said, certainly a no-daemon approach takes an extra step out of the mix here.
The fundamental architecture of docker makes rootless awkward but the company needs to compete with podman now which is architected to fix many of Dockers deficiencies while maintaining it's many strengths.
Docker has been a great tool but running as root has always bothered me. I'm glad they're evolving but it feels a little too late and the migration to rootless, as far as I'm concerned, is not simple. Currently I'm investigating migrating my homelab and development efforts to podman.