Rootless containerd
Rootless containerd allows running the container runtime and containers without root privileges on the host. This significantly improves security by reducing the attack surface and impact of container escapes.
Rootless containerd is a mode that allows the containerd daemon and containers to run without root privileges on the host system. In traditional containerd, the daemon runs as root, creating a potential security risk—if a container escapes, the attacker gains root access on the host. Rootless containerd runs the daemon and containers in a user namespace, mapping container root (UID 0) to an unprivileged user on the host.
This significantly reduces the impact of a container escape. Even if an attacker breaks out of a container, they only gain the privileges of the user running containerd, not root. Rootless mode is a major security improvement, especially for multi-tenant environments or untrusted workloads.
Rootless containerd leverages Linux user namespaces, a kernel feature that allows a non-root user to act as root inside a namespace while remaining unprivileged outside. The containerd daemon runs as your user, and containers run inside a user namespace where UID 0 (root) is mapped to your unprivileged host UID.
Additionally, Rootless containerd uses several other technologies: slirp4netns for network connectivity, fuse-overlayfs for storage (or native overlayfs with kernel support), and cgroup v2 for resource limits (optional).
# Check if user namespaces are supported
cat /proc/sys/user/max_user_namespaces
# Check kernel version (needs 4.18+ for full support)
uname -r
# Verify rootless mode is active
containerd --version
containerd config dump | grep -i rootless
# Check mapping of container root to host user
cat /proc/self/uid_map
Installing Rootless containerd is straightforward. You don't need to uninstall regular containerd—rootless can run alongside it.
# Install rootless containerd (Ubuntu/Debian)
curl -fsSL https://get.docker.com/rootless | sh
# Or manually install
curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh --dry-run
sh get-docker.sh --disable-rootless=false
# Add to PATH in your shell config (~/.bashrc)
export PATH=/home/$USER/bin:$PATH
export CONTAINERD_NAMESPACE=default
# Start rootless containerd service
systemctl --user start containerd
systemctl --user enable containerd
# Verify installation
containerd --version
containerd config dump | grep -i rootless
Security
Cgroup Support
Networking
Kubernetes Integration
Storage
Use Case
For resource limits (memory, CPU, pids) to work in rootless containerd, your host must use cgroup v2. Most modern Linux distributions now use cgroup v2 by default (Ubuntu 22.04+, Fedora 31+, Debian 11+).
# Check cgroup version
mount | grep cgroup2
# If output shows cgroup2, you're on v2
# Or check
stat -fc %T /sys/fs/cgroup/
# "cgroup2fs" means v2, "tmpfs" means v1
# Enable cgroup v2 (Ubuntu - requires reboot)
# Edit kernel command line in /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="systemd.unified_cgroup_hierarchy=1"
# Update grub
sudo update-grub
sudo reboot
# For rootless containerd, enable delegation
sudo mkdir -p /etc/systemd/system/user@.service.d
cat <
- No host network mode - `--network host` doesn't work because the container can't access the host's network stack.
- No privileged containers - `--privileged` flag is not supported (security feature).
- Cgroup v2 required - For resource limits (CPU, memory), you need cgroup v2 enabled on the host.
- Performance overhead - Network has overhead due to slirp4netns (though usually acceptable).
- No AppArmor/SELinux profiles - These LSM features don't work in rootless mode.
- Storage driver limitations - Overlayfs requires extra configuration; fuse-overlayfs works but has overhead.
- No Kubernetes support for overlay networks - Swarm and overlay networks are not supported.
- Multi-tenant environments - Different users can run containerd independently without root access.
- Shared development servers - Developers can run containers without needing sudo or root access.
- CI/CD runners - Reduce security risk from untrusted code running in pipelines.
- Education and training - Students can learn containers without root access.
- High-security environments - Where container escape is a major concern.
- Personal workstations - Safer default for everyday container usage.
# Check if rootless mode is active
containerd config dump | grep -i rootless
# View rootless daemon logs
journalctl --user -u containerd -f
# Check user namespace support
cat /proc/sys/user/max_user_namespaces
# If 0, enable with: sudo sysctl -w user.max_user_namespaces=10000
# Check cgroup support
cat /sys/fs/cgroup/memory/memory.limit_in_bytes
# Reset rootless containerd
systemctl --user stop containerd
rm -rf ~/.local/share/containerd
systemctl --user start containerd
# Check slirp4netns
which slirp4netns
sudo apt install slirp4netns # if missing
Rootless containerd significantly improves container security by eliminating root privileges. While it has limitations, it's an excellent choice for development, CI/CD, and many production workloads.