Add rootless docker documentation for ubuntu 24.04

[createthis]

I don't know if we want to turn this into official documentation or just leave the issue up so people can see it when they google.

I finally got rootless docker running open hands last night in ubuntu 24.04. It took hours of trial and error to figure out what I had to change. I may still have some issues, but the 3 tricks were:

1. remove -e SANDBOX_USER_ID=$(id -u) \

   If you leave it, your file uids and gids get messed up. Just run open hands as root in the docker container and let rootless docker sort it out.

2. The socket line becomes -v /run/user/1000/docker.sock:/var/run/docker.sock \ with 1000 being my user id on the ubuntu host.

3. The networking line becomes --add-host host.docker.internal:192.168.0.144 \ with 192.168.0.144 being the IP of the ubuntu host.

   This one was the trickiest and took the most time. rootless docker doesn't have host-gateway like docker desktop on a Mac.

4. Oh... I also ran into a weird issue where chown -R operations under docker take a really long time on ubuntu.

   Not sure what's up with that, but I made some changes to my MCP server to work around it. See Recursive chown is really slow docker/for-linux#388 for more info. Just something to be aware of.

I wouldn't say it's "secure" by any stretch of the imagination, but I don't need it to be since my machine is behind a firewall on a secure network. Here's the final full command to start rootless docker with GPU support (which I still don't have 100% working yet):

docker run -it --rm \
    -p 3001:3000 \
    -e WORKSPACE_MOUNT_PATH=$WORKSPACE_BASE \
    -v $WORKSPACE_BASE:/opt/workspace_base \
    -e AGENT_ENABLE_PROMPT_EXTENSIONS=false \
    -e LOG_ALL_EVENTS=true \
    -e LLM_NATIVE_TOOL_CALLING=true \
    -e LLM_DISABLE_STOP_WORD=true \
    -e LLM_REASONING_EFFORT=high \
    -v ~/.openhands:/.openhands \
    -v /run/user/1000/docker.sock:/var/run/docker.sock \
    --add-host host.docker.internal:192.168.0.144 \
    -e SANDBOX_RUNTIME_CONTAINER_IMAGE=docker.all-hands.dev/all-hands-ai/runtime:0.59-nikolaik \
    --name openhands-app \
    --gpus all \
    docker.all-hands.dev/all-hands-ai/openhands:0.59

In my frustration I did briefly try podman. I think it could probably be made to work too, but you have to set more env vars because it doesn't seem to like docker http urls for the runtime. See OpenHands/OpenHands#5325 (comment) for more info on podman.

I stuck with rootless docker since I already had it 90% working at the time.

[github-actions]

This issue is stale because it has been open for 40 days with no activity. Remove the stale label or leave a comment, otherwise it will be closed in 10 days.