Rootless Docker breaks SafeLine.
I’ve chased security hype for two decades now—back when firewalls were actual hardware boxes humming in data centers, not some containerized buzzword salad. SafeLine, this open-source Web Application Firewall from Chaitin, promises solid protection against web nasties. But shove it into rootless Docker? Expect pain. The original post by obuno lays out the guts, warts and all, and it’s refreshingly honest: unverified tweaks, non-prod only, no liability. Smart.
Look, rootless Docker’s the right call for paranoia-prone devs— no root privileges, slimmer attack surface. Who’s making money here? Nobody, really; it’s all community elbow grease. But SafeLine’s compose.yaml? Built for rootful bliss. Ports vanish. Client IPs ghost. Classic.
Why SafeLine Hates Rootless Out of the Box?
Two killers: ports 80/443 won’t bind to your host, and real client IPs turn into rootlesskit’s fake ones thanks to SNAT. Nginx inside the tengine container thinks it’s golden, binding fine internally. Host? Crickets.
In rootless Docker, network_mode: host does not mean the real host network. Containers land in the rootlesskit network namespace instead.
That’s the money quote from obuno. Spot on. Rootlesskit’s port driver mangles everything below 1024, and SNAT kills IP-based rules—rate limits, geo-blocks, blacklists. Useless.
But here’s my twist, one you won’t find in the original: this mess echoes the early Kubernetes days, when everyone ignored pod security policies until breaches piled up. Rootless Docker’s our new pod security—essential, but WAFs gotta evolve. Prediction? By 2026, half the security stacks ship rootless-ready compose files, or they die.
Short fix? Switch to slirp4netns port driver. It preserves source IPs and handles low ports sans root. Game-changer.
First, prerequisites. Docker rootless installed (dockerd-rootless-setuptool.sh install). SafeLine’s compose.yaml and .env ready. Sudo for one sysctl tweak.
Logged in as your docker user:
mkdir -p /home/user/data/safeline/ cd /home/user/data/safeline/ wget “https://waf.chaitin.com/release/latest/compose.yaml” touch “.env”
Then pump in that .env—SAFELINE_DIR, IMAGE_TAG=latest, ports, Postgres pass, subnet. Obuno’s got the full cat > .env block. Copy-paste friendly.
Switching to slirp4netns: The Magic Bullet
Create daemon override:
mkdir -p ~/.config/systemd/user/docker.service.d cat > ~/.config/systemd/user/docker.service.d/override.conf << EOF [Service] Environment=”DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns” Environment=”DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns” EOF
Reload: systemctl –user daemon-reload; stop docker; pkill rootlesskit; start docker. Check status.
This alone fixes SNAT—real IPs flow through. No more fake gateway IPs screwing your rules. But ports? Still need sysctl love.
Taming Privileged Ports Without Root
sudo sysctl -w net.ipv4.ip_unprivileged_port_start=80 (test it)
Make persistent: echo that into /etc/sysctl.d/99-unprivileged-ports.conf; sudo sysctl –system.
Verify: sudo sysctl net.ipv4.ip_unprivileged_port_start. Should scream 80.
Slirp4netns laughs at setcap tricks—sysctl’s your only friend here. Cynical me? Love it. Forces shared responsibility; no magic root bullet.
Now, hack compose.yaml’s tengine service. Ditch network_mode: host. Add ports: - “80:80” - “443:443”. Slap it on networks: safeline-ce with a fixed IP like ${SUBNET_PREFIX}.x (pick free—check docker network inspect).
Ulimits, volumes, env? Untouched. Boom.
Testing Without Torching Prod
Spin up: docker compose up -d. Curl your box on 80/443. See SafeLine’s login? Good. Check logs: docker compose logs tengine. IPs real? docker compose exec tengine nginx -T | grep real_ip (or whatever).
Obuno warns: non-prod only. SafeLine team hasn’t blessed this. Me? I’ve seen “quick fixes” nuke clusters. Test hard—fuzz ports, flood with fake traffic, verify blocks.
And the money angle? Chaitin’s CE is free, but enterprise? Paid. Rootless run saves hosting bucks—no VM sprawl. But if it flakes, you’re debugging namespace hell solo.
Is SafeLine WAF Production-Ready in Rootless Docker?
Not yet. Obuno’s post screams test env. Slirp4netns helps, but edge cases lurk—IPv6? High load? Custom rules? Unproven.
My bold call: it’ll mature fast. Open source moves quick when security nerds poke. Watch GitHub; forks incoming.
Parallel to ModSecurity days—NGINX module ruled, then containers forced reinvention. SafeLine’s next.
One-paragraph rant: Docker’s rootless push is boss-level security hygiene, but vendors drag feet. SafeLine’s close; nudge ‘em.
Deeper dive on slirp4netns. It’s user-space networking, lower than rootlesskit defaults. Preserves TCP/UDP source IPs via clever forwarding. Drawback? Slightly higher CPU on port-heavy setups. Worth it for WAF truth.
Tengine tweaks matter ‘cause host networking’s a rootless lie—slirp4netns exposes properly.
Post-setup, monitor: docker stats, sysctl values, compose logs. Restart daemon? Verify driver sticks.
Why Bother with Rootless for WAFs?
Security. Plain. Root containers = compromise jackpot. Rootless? User namespaces sandbox the blast. In breaches I’ve covered—Equifax vibes—container escape was ugly. This? Safer default.
Downsides? Perf hit (5-10% maybe), complexity spike. Tradeoff.
FAQ time.
🧬 Related Insights
- Read more: Inside 12 AI Agent Codebases: The Inevitable God Object Trap
- Read more: The Error Budget Trap: Why Your Reliability Monitoring Is Blind to Attacks
Frequently Asked Questions
How do I install SafeLine WAF on rootless Docker?
Grab compose.yaml, set .env, switch to slirp4netns, sysctl ports, edit tengine ports/network. Full steps above—test non-prod.
What fixes SNAT in rootless Docker for SafeLine?
Slirp4netns port driver. Override docker.service.d, restart daemon. Real client IPs preserved.
Can SafeLine bind ports 80/443 rootless?
Yes, after sysctl net.ipv4.ip_unprivileged_port_start=80 and tengine port mappings. No setcap needed.
