Is it possible to use docker swarm with rootless docker?

Question

I have successfully installed rootless docker and now I'm trying to use docker swarm with it. I'm running four GCP instances. I followed below steps:

on Node 1

1. docker swarm init --advertise-addr 34.93.X.X

2. docker swarm join-token manager gives docker swarm join --token SWMTKN-1-21vhv6gawb9mpur1v379sq52ia2jq4n0boqes0wos10o7m833l-5935hxvsht0x21o0qjpeqykae 34.93.X.X:2377

on Node 2

1. docker swarm join --token SWMTKN-1-2xtpxpc18p8qf3e4kb3dvsjr4a4ae786entmwuekh6w5bbfmpz-e5rhoya81d1pajet80wx34mcv 34.93.X.X:2377 --advertise-addr 34.93.X.X gives below error

Error response from daemon: rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = "transport: Error while dialing dial tcp 34.93.X.X:2377: connect: connection refused"

NOTE

with rootful docker I'm able to join the nodes.

Answer 1

It's not possible today. It's not Swarm's fault, it's the design of Linux. Swarm (by default) uses overlay networking that creates virtual IP's, VXLAN routes, and more in iptables, and rootless (anything) can't control Linux networking to that level as far as I know.

See https://docs.docker.com/engine/security/rootless/#known-limitations

If your goal is just to lock down Docker, I think it's much more effective to things like User Namespaces (dockerd runs as root, but containers don't run as root), change the default user running in containers, and other steps I list here https://github.com/BretFisher/ama/discussions/150