docker/dind-rootless: 'Cannot connect to the Docker daemon' on MacOS (Silicon) Docker Desktop

[RoFz]

I'm unable to make dind-rootless (arm64v8) work with Docker Desktop for MacOS (Silicon) due to:

 ~  docker run -d --name=docker-dind-rootless-arm64 --platform linux/arm64/v8 --privileged docker:dind-rootless 
17ce670ad44fb090f94f2ea1624056d7c3a67dfeb1a7f5266ed6d88e9122979d

 ~  docker ps -n 1                                                                                            
CONTAINER ID   IMAGE     COMMAND                  CREATED          STATUS          PORTS           NAMES
17ce670ad44f   docker    "dockerd-entrypoint.…"   51 seconds ago   Up 50 seconds   2375-2376/tcp   docker-dind-rootless-arm64

~  docker exec -it docker-dind-rootless-arm64 docker ps 
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

docker-info

Client:
 Version:    25.0.2
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.12.1-desktop.4
    Path:     /Users/<myusername>/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.24.3-desktop.1
    Path:     /Users/<myusername>/.docker/cli-plugins/docker-compose
  debug: Get a shell into any image or container. (Docker Inc.)
    Version:  0.0.22
    Path:     /Users/<myusername>/.docker/cli-plugins/docker-debug
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.0
    Path:     /Users/<myusername>/.docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.21
    Path:     /Users/<myusername>/.docker/cli-plugins/docker-extension
  feedback: Provide feedback, right in your terminal! (Docker Inc.)
    Version:  v1.0.4
    Path:     /Users/<myusername>/.docker/cli-plugins/docker-feedback
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.0.0
    Path:     /Users/<myusername>/.docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/<myusername>/.docker/cli-plugins/docker-sbom
  scout: Docker Scout (Docker Inc.)
    Version:  v1.3.0
    Path:     /Users/<myusername>/.docker/cli-plugins/docker-scout
WARNING: Plugin "/Users/<myusername>/.docker/cli-plugins/docker-scan" is not valid: failed to fetch metadata: fork/exec /Users/<myusername>/.docker/cli-plugins/docker-scan: no such file or directory

Server:
 Containers: 38
  Running: 37
  Paused: 0
  Stopped: 1
 Images: 22
 Server Version: 25.0.2
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: runc io.containerd.runc.v2
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc version: v1.1.12-0-g51d5e94
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
  cgroupns
 Kernel Version: 6.6.12-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 10
 Total Memory: 15.85GiB
 Name: docker-desktop
 ID: fe669af4-3bb9-4562-954f-513dcd5713fe
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: daemon is not using the default seccomp profile

docker logs (some issues - unknown if related)

~ docker logs docker-dind-rootless-arm64
Certificate request self-signature ok
subject=CN = docker:dind server
/certs/server/cert.pem: OK
Certificate request self-signature ok
subject=CN = docker:dind client
/certs/client/cert.pem: OK
cat: can't open '/proc/net/ip_tables_names': Permission denied
cat: can't open '/proc/net/ip6_tables_names': Permission denied
cat: can't open '/proc/net/arp_tables_names': Permission denied
Device "nf_tables" does not exist.
modprobe: can't change directory to '/lib/modules': No such file or directory
Device "ip_tables" does not exist.
modprobe: can't change directory to '/lib/modules': No such file or directory
iptables v1.8.10 (nf_tables)
[WARN  tini (98)] Tini is not running as PID 1 and isn't registered as a child subreaper.
Zombie processes will not be re-parented to Tini, so zombie reaping won't work.
To fix the problem, use the -s option or set the environment variable TINI_SUBREAPER to register Tini as a child subreaper, or run Tini as PID 1.
time="2024-02-15T12:17:49.877407387Z" level=info msg="Starting up"
time="2024-02-15T12:17:49.877451762Z" level=warning msg="Running in rootless mode. This mode has feature limitations."
time="2024-02-15T12:17:49.877455471Z" level=info msg="Running with RootlessKit integration"
time="2024-02-15T12:17:49.878036679Z" level=info msg="containerd not running, starting managed containerd"
time="2024-02-15T12:17:49.878678471Z" level=info msg="started new containerd process" address=/run/user/1000/docker/containerd/containerd.sock module=libcontainerd pid=114
time="2024-02-15T12:17:49.894674387Z" level=info msg="starting containerd" revision=7c3aca7a610df76212171d200ca3811ff6096eb8 version=v1.7.13
time="2024-02-15T12:17:49.903924846Z" level=info msg="loading plugin \"io.containerd.event.v1.exchange\"..." type=io.containerd.event.v1
time="2024-02-15T12:17:49.903950971Z" level=info msg="loading plugin \"io.containerd.internal.v1.opt\"..." type=io.containerd.internal.v1
time="2024-02-15T12:17:49.904021346Z" level=warning msg="failed to load plugin io.containerd.internal.v1.opt" error="mkdir /opt/containerd: permission denied"
time="2024-02-15T12:17:49.904033137Z" level=info msg="loading plugin \"io.containerd.warning.v1.deprecations\"..." type=io.containerd.warning.v1
time="2024-02-15T12:17:49.904040096Z" level=info msg="loading plugin \"io.containerd.snapshotter.v1.blockfile\"..." type=io.containerd.snapshotter.v1
time="2024-02-15T12:17:49.904112262Z" level=info msg="skip loading plugin \"io.containerd.snapshotter.v1.blockfile\"..." error="no scratch file generator: skip plugin" type=io.containerd.snapshotter.v1
time="2024-02-15T12:17:49.904125137Z" level=info msg="loading plugin \"io.containerd.snapshotter.v1.devmapper\"..." type=io.containerd.snapshotter.v1
time="2024-02-15T12:17:49.904131346Z" level=warning msg="failed to load plugin io.containerd.snapshotter.v1.devmapper" error="devmapper not configured"
time="2024-02-15T12:17:49.904135054Z" level=info msg="loading plugin \"io.containerd.snapshotter.v1.native\"..." type=io.containerd.snapshotter.v1
time="2024-02-15T12:17:49.904179554Z" level=info msg="loading plugin \"io.containerd.snapshotter.v1.overlayfs\"..." type=io.containerd.snapshotter.v1
time="2024-02-15T12:17:49.904396596Z" level=info msg="loading plugin \"io.containerd.snapshotter.v1.aufs\"..." type=io.containerd.snapshotter.v1
time="2024-02-15T12:17:49.905962304Z" level=info msg="skip loading plugin \"io.containerd.snapshotter.v1.aufs\"..." error="aufs is not supported (modprobe aufs failed: exit status 1 \"Device \\\"aufs\\\" does not exist.\\nmodprobe: can't change directory to '/lib/modules': No such file or directory\\n\"): skip plugin" type=io.containerd.snapshotter.v1
time="2024-02-15T12:17:49.905985887Z" level=info msg="loading plugin \"io.containerd.snapshotter.v1.zfs\"..." type=io.containerd.snapshotter.v1
time="2024-02-15T12:17:49.906141637Z" level=info msg="skip loading plugin \"io.containerd.snapshotter.v1.zfs\"..." error="path /home/rootless/.local/share/docker/containerd/daemon/io.containerd.snapshotter.v1.zfs must be a zfs filesystem to be used with the zfs snapshotter: skip plugin" type=io.containerd.snapshotter.v1
time="2024-02-15T12:17:49.906159387Z" level=info msg="loading plugin \"io.containerd.content.v1.content\"..." type=io.containerd.content.v1
time="2024-02-15T12:17:49.906215971Z" level=info msg="loading plugin \"io.containerd.metadata.v1.bolt\"..." type=io.containerd.metadata.v1
time="2024-02-15T12:17:49.906249054Z" level=warning msg="could not use snapshotter devmapper in metadata plugin" error="devmapper not configured"
time="2024-02-15T12:17:49.906264721Z" level=info msg="metadata content store policy set" policy=shared
time="2024-02-15T12:17:49.912300762Z" level=info msg="loading plugin \"io.containerd.gc.v1.scheduler\"..." type=io.containerd.gc.v1
time="2024-02-15T12:17:49.912345137Z" level=info msg="loading plugin \"io.containerd.differ.v1.walking\"..." type=io.containerd.differ.v1
time="2024-02-15T12:17:49.912358262Z" level=info msg="loading plugin \"io.containerd.lease.v1.manager\"..." type=io.containerd.lease.v1
time="2024-02-15T12:17:49.912365637Z" level=info msg="loading plugin \"io.containerd.streaming.v1.manager\"..." type=io.containerd.streaming.v1
time="2024-02-15T12:17:49.912376762Z" level=info msg="loading plugin \"io.containerd.runtime.v1.linux\"..." type=io.containerd.runtime.v1
time="2024-02-15T12:17:49.912484762Z" level=info msg="loading plugin \"io.containerd.monitor.v1.cgroups\"..." type=io.containerd.monitor.v1
time="2024-02-15T12:17:49.912613262Z" level=info msg="loading plugin \"io.containerd.runtime.v2.task\"..." type=io.containerd.runtime.v2
time="2024-02-15T12:17:49.912705804Z" level=info msg="loading plugin \"io.containerd.runtime.v2.shim\"..." type=io.containerd.runtime.v2
time="2024-02-15T12:17:49.912719762Z" level=info msg="loading plugin \"io.containerd.sandbox.store.v1.local\"..." type=io.containerd.sandbox.store.v1
time="2024-02-15T12:17:49.912725762Z" level=info msg="loading plugin \"io.containerd.sandbox.controller.v1.local\"..." type=io.containerd.sandbox.controller.v1
time="2024-02-15T12:17:49.912732304Z" level=info msg="loading plugin \"io.containerd.service.v1.containers-service\"..." type=io.containerd.service.v1
time="2024-02-15T12:17:49.912741387Z" level=info msg="loading plugin \"io.containerd.service.v1.content-service\"..." type=io.containerd.service.v1
time="2024-02-15T12:17:49.912747762Z" level=info msg="loading plugin \"io.containerd.service.v1.diff-service\"..." type=io.containerd.service.v1
time="2024-02-15T12:17:49.912757137Z" level=info msg="loading plugin \"io.containerd.service.v1.images-service\"..." type=io.containerd.service.v1
time="2024-02-15T12:17:49.912775512Z" level=info msg="loading plugin \"io.containerd.service.v1.introspection-service\"..." type=io.containerd.service.v1
time="2024-02-15T12:17:49.912784846Z" level=info msg="loading plugin \"io.containerd.service.v1.namespaces-service\"..." type=io.containerd.service.v1
time="2024-02-15T12:17:49.912794554Z" level=info msg="loading plugin \"io.containerd.service.v1.snapshots-service\"..." type=io.containerd.service.v1
time="2024-02-15T12:17:49.912800096Z" level=info msg="loading plugin \"io.containerd.service.v1.tasks-service\"..." type=io.containerd.service.v1
time="2024-02-15T12:17:49.912809971Z" level=info msg="loading plugin \"io.containerd.grpc.v1.containers\"..." type=io.containerd.grpc.v1
time="2024-02-15T12:17:49.912815804Z" level=info msg="loading plugin \"io.containerd.grpc.v1.content\"..." type=io.containerd.grpc.v1
time="2024-02-15T12:17:49.912822512Z" level=info msg="loading plugin \"io.containerd.grpc.v1.diff\"..." type=io.containerd.grpc.v1
time="2024-02-15T12:17:49.912828721Z" level=info msg="loading plugin \"io.containerd.grpc.v1.events\"..." type=io.containerd.grpc.v1
time="2024-02-15T12:17:49.912835471Z" level=info msg="loading plugin \"io.containerd.grpc.v1.images\"..." type=io.containerd.grpc.v1
time="2024-02-15T12:17:49.912849679Z" level=info msg="loading plugin \"io.containerd.grpc.v1.introspection\"..." type=io.containerd.grpc.v1
time="2024-02-15T12:17:49.912854804Z" level=info msg="loading plugin \"io.containerd.grpc.v1.leases\"..." type=io.containerd.grpc.v1
time="2024-02-15T12:17:49.912860179Z" level=info msg="loading plugin \"io.containerd.grpc.v1.namespaces\"..." type=io.containerd.grpc.v1
time="2024-02-15T12:17:49.912865762Z" level=info msg="loading plugin \"io.containerd.grpc.v1.sandbox-controllers\"..." type=io.containerd.grpc.v1
time="2024-02-15T12:17:49.912872137Z" level=info msg="loading plugin \"io.containerd.grpc.v1.sandboxes\"..." type=io.containerd.grpc.v1
time="2024-02-15T12:17:49.912877054Z" level=info msg="loading plugin \"io.containerd.grpc.v1.snapshots\"..." type=io.containerd.grpc.v1
time="2024-02-15T12:17:49.912887679Z" level=info msg="loading plugin \"io.containerd.grpc.v1.streaming\"..." type=io.containerd.grpc.v1
time="2024-02-15T12:17:49.912892762Z" level=info msg="loading plugin \"io.containerd.grpc.v1.tasks\"..." type=io.containerd.grpc.v1
time="2024-02-15T12:17:49.912899387Z" level=info msg="loading plugin \"io.containerd.transfer.v1.local\"..." type=io.containerd.transfer.v1
time="2024-02-15T12:17:49.912908554Z" level=info msg="loading plugin \"io.containerd.grpc.v1.transfer\"..." type=io.containerd.grpc.v1
time="2024-02-15T12:17:49.912921846Z" level=info msg="loading plugin \"io.containerd.grpc.v1.version\"..." type=io.containerd.grpc.v1
time="2024-02-15T12:17:49.912926929Z" level=info msg="loading plugin \"io.containerd.internal.v1.restart\"..." type=io.containerd.internal.v1
time="2024-02-15T12:17:49.912971887Z" level=info msg="loading plugin \"io.containerd.tracing.processor.v1.otlp\"..." type=io.containerd.tracing.processor.v1
time="2024-02-15T12:17:49.912983012Z" level=info msg="skip loading plugin \"io.containerd.tracing.processor.v1.otlp\"..." error="no OpenTelemetry endpoint: skip plugin" type=io.containerd.tracing.processor.v1
time="2024-02-15T12:17:49.912987429Z" level=info msg="loading plugin \"io.containerd.internal.v1.tracing\"..." type=io.containerd.internal.v1
time="2024-02-15T12:17:49.912991637Z" level=info msg="skipping tracing processor initialization (no tracing plugin)" error="no OpenTelemetry endpoint: skip plugin"
time="2024-02-15T12:17:49.913116096Z" level=info msg="loading plugin \"io.containerd.grpc.v1.healthcheck\"..." type=io.containerd.grpc.v1
time="2024-02-15T12:17:49.913129304Z" level=info msg="loading plugin \"io.containerd.nri.v1.nri\"..." type=io.containerd.nri.v1
time="2024-02-15T12:17:49.913142471Z" level=info msg="NRI interface is disabled by configuration."
time="2024-02-15T12:17:49.913274346Z" level=info msg=serving... address=/run/user/1000/docker/containerd/containerd-debug.sock
time="2024-02-15T12:17:49.913336221Z" level=info msg=serving... address=/run/user/1000/docker/containerd/containerd.sock.ttrpc
time="2024-02-15T12:17:49.913366137Z" level=info msg=serving... address=/run/user/1000/docker/containerd/containerd.sock
time="2024-02-15T12:17:49.913380137Z" level=info msg="containerd successfully booted in 0.019412s"
time="2024-02-15T12:17:50.927986846Z" level=info msg="Loading containers: start."
time="2024-02-15T12:17:50.928131180Z" level=info msg="skipping firewalld management for rootless mode"
time="2024-02-15T12:17:51.003413971Z" level=info msg="Loading containers: done."
time="2024-02-15T12:17:51.006843930Z" level=warning msg="Not using native diff for overlay2, this may cause degraded performance for building images: running in a user namespace" storage-driver=overlay2
time="2024-02-15T12:17:51.006956180Z" level=warning msg="WARNING: Running in rootless-mode without cgroups. Systemd is required to enable cgroups in rootless-mode."
time="2024-02-15T12:17:51.006976721Z" level=info msg="Docker daemon" commit=f417435 containerd-snapshotter=false storage-driver=overlay2 version=25.0.3
time="2024-02-15T12:17:51.007122680Z" level=info msg="Daemon has completed initialization"
time="2024-02-15T12:17:51.034014680Z" level=info msg="API listen on /run/user/1000/docker.sock"
time="2024-02-15T12:17:51.034018680Z" level=info msg="API listen on [::]:2376"

If I just do a docker run -it --rm --name=docker-dind-rootless-arm64 --platform linux/arm64/v8 --privileged docker:dind-rootless sh, the error is slightly different:

error during connect: Get "http://docker:2375/v1.24/containers/json": dial tcp: lookup docker on 192.168.65.7:53: no such host

Important: docker-dind (without rootless) works fine.

Any ideas?

[tianon]

Rootless is special and requires more setup for the client IIRC -- try docker exec -it docker-dind-rootless-arm64 docker-entrypoint.sh docker ps

(Honestly, using Rootless mode inside DinD on top of Docker Desktop seems odd in itself and there might be better ways to accomplish what you're trying to. 😅)