Join our Discord Server
Collabnix
Collabnix Team The Collabnix Team is a diverse collective of Docker, Kubernetes, and IoT experts united by a passion for cloud-native technologies. With backgrounds spanning across DevOps, platform engineering, cloud architecture, and container orchestration, our contributors bring together decades of combined experience from various industries and technical domains.

Rootless Docker: Running Containers Securely Without Root Privileges

3 min read

In the world of containerization, security is paramount. For years, one of Docker’s most significant attack vectors has been the requirement to run the Docker daemon as root. Enter Rootless Docker—a game-changing security feature that allows you to run both the Docker daemon and containers as a non-root user, dramatically reducing your attack surface.

Why Rootless Docker Matters

Traditional Docker deployments require root privileges to operate the daemon, creating a potential security vulnerability. If an attacker compromises the Docker daemon or breaks out of a container, they could potentially gain root access to the entire host system. Rootless Docker eliminates this risk by removing root privileges from the equation entirely.

Understanding Rootless Docker

Rootless mode fundamentally differs from other security approaches like userns-remap. While userns-remap allows containers to run as non-root users, the daemon itself still operates with root privileges. With Rootless Docker, neither the daemon nor the containers require root access, providing a much stronger security posture.

The Technology Behind It

Rootless Docker leverages several Linux kernel features to achieve secure, privilege-free operation:

  • User Namespaces: Maps container root users to unprivileged host users, creating isolation without actual root privileges
  • Minimal SETUID Usage: Avoids SETUID binaries except for newuidmap and newgidmap, which are essential for user namespace support
  • Zero Root Requirement: Installation and operation work entirely without root privileges once prerequisites are met

Getting Started: Prerequisites

Before diving into installation, ensure your system meets these requirements:

  1. UID/GID Mapping Tools: Install newuidmap and newgidmap (typically from the uidmap package)
  2. Subordinate ID Allocation: Configure /etc/subuid and /etc/subgid to allocate at least 65,536 subordinate UIDs/GIDs to your user
  3. Kernel Configuration: Enable unprivileged user namespaces if not already active

Installation Guide

Package-Based Installation

If you’ve installed Docker via RPM or DEB packages:

dockerd-rootless-setuptool.sh install

Run this as your regular user (non-root). The script handles setup and creates a user-level systemd service.

Manual Installation

If the setup tool isn’t available, install the docker-ce-rootless-extras package or use the official installation script:

curl -fsSL https://get.docker.com/rootless | sh

Post-Installation Configuration

After installation, configure your environment variables as instructed:

  • Set PATH to include the rootless Docker binaries
  • Configure DOCKER_HOST to point to your user’s Docker socket

Since Docker Engine v23.0, the CLI context is automatically set to rootless, simplifying the setup process.

Managing Your Rootless Docker Instance

Starting and Stopping

Rootless Docker integrates with systemd at the user level:

systemctl --user start docker
systemctl --user stop docker
systemctl --user restart docker

Enabling Automatic Startup

To ensure Docker starts automatically when your system boots:

sudo loginctl enable-linger <username>

This allows your user services to start without requiring you to log in.

Best Practices for Production Use

Docker-in-Docker Scenarios

When running Docker inside Docker containers, use the official rootless variant:

docker run docker:<version>-dind-rootless

Note that some features still require the --privileged flag, even in rootless mode.

Exposing the Docker API

To expose the API over TCP, configure DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS with proper TLS settings for security:

export DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS="--net=host"

Always use TLS certificates when exposing Docker over the network.

Binding to Privileged Ports

By default, non-root users can’t bind to ports below 1024. To enable this:

  • Set CAP_NET_BIND_SERVICE capability on the rootlesskit binary
  • Or adjust the kernel parameter net.ipv4.ip_unprivileged_port_start

Resource Management

For cgroup-based resource limits, you’ll need:

  • cgroup v2 enabled
  • systemd delegation configured

Otherwise, use traditional tools like ulimit or cpulimit as workarounds.

Understanding the Limitations

While Rootless Docker is powerful, it does have some constraints:

Storage Drivers: Only overlay2, fuse-overlayfs, btrfs, and vfs are supported, with specific kernel version requirements for some.

Unsupported Features:

  • AppArmor integration
  • Checkpoint/restore functionality
  • Overlay networking
  • SCTP port exposure
  • NFS as the data root

Networking Considerations: Host network mode and IP addresses are namespaced, meaning they’re not directly accessible from the host system—an important consideration for service discovery and load balancing.

Troubleshooting Common Issues

User Namespace Errors

If you encounter user namespace-related errors, verify:

  • /proc/sys/kernel/unprivileged_userns_clone is set to 1
  • Your /etc/subuid and /etc/subgid files are properly configured

AppArmor on Ubuntu 24.04+

Recent Ubuntu versions may require manual AppArmor profile installation when using the installation script.

Daemon Startup Problems

Ensure you’ve enabled lingering and avoid using sudo to switch users, as this can cause systemd service issues.

Working with Rootless Docker Images

The official Docker Hub provides rootless-compatible image variants:

  • docker:<version>-rootless: Standard rootless variant
  • docker:<version>-dind-rootless: Docker-in-Docker rootless variant

You can customize the UID/GID in these images by modifying /etc/passwd and /etc/group to match your security requirements.

Conclusion: Security Without Compromise

Rootless Docker represents a significant leap forward in container security. By eliminating root privileges from both the daemon and containers, you dramatically reduce the potential impact of security breaches and privilege escalation attacks.

While there are some limitations to be aware of, for most use cases, the security benefits far outweigh the constraints. Whether you’re running containers in development, CI/CD pipelines, or production environments, Rootless Docker provides a more secure foundation for your containerized applications.

Ready to get started? Install Rootless Docker today and take your container security to the next level. Your future self—and your security team—will thank you.

Have Queries? Join https://launchpass.com/collabnix

Collabnix Team The Collabnix Team is a diverse collective of Docker, Kubernetes, and IoT experts united by a passion for cloud-native technologies. With backgrounds spanning across DevOps, platform engineering, cloud architecture, and container orchestration, our contributors bring together decades of combined experience from various industries and technical domains.
«
»

Best AI Coding Agents of 2026

Ajeet Raina
Jan 20, 2026 6 min read

SurrealDB with Docker Compose: A Definitive Guide

Ajeet Raina
Jan 18, 2026 4 min read

How to Run AI Coding Agents Safely with Docker…

Collabnix Team
Jan 18, 2026 9 min read
Join our Discord Server
Table of Contents
Index