Is it possible to get in docker container without root permission of host, when docker needs sudo to run?

To my knowledge, people usually open docker group for regular users, so they could have a separate environment to do almost anything without root permission of host.

But if docker command needs to be run by sudo, like sudo docker exec -it CONTAINER /bin/bash , is it a good way to hide information, for instance, source code in container?

My question is, to be more specific, if sudo is necessary to run docker, is it possible to see what's inside container, or even access it, without root permission?

Solution 1:

It's not necessary to run Docker as root.

Docker has a "rootless" mode, that allows Docker containers to be run in userspace. However, there are some limitations to this operating mode listed in the linked documentation. In this mode, the user in question has full access to containers and their contents.

I don't personally have any experience with running Docker in rootless mode though.

If you want to run Docker as a system-wide service, it requires root access, or membership of the docker group. In this mode, you can run the following command (as member of docker group - using nginx as an example, and provided bash is in the container):

docker exec -it nginx /bin/bash

You get into the terminal of the container (as root):

root@e209bdb1fe51:/#

So even if you're not root on local machine (but a member of the docker group), you will be root inside the container.