Home / Docker Complete Guide / Rootless Docker

Rootless Docker

Updated June 2026 14 min read Advanced

Rootless Docker allows running the Docker daemon and containers without root privileges, significantly reducing the impact of container escapes. This guide covers installation, security benefits, limitations, and when to use rootless mode.

No Root Required Enhanced Security User Namespaces
What is Rootless Docker?

Rootless Docker is a mode that allows the Docker daemon and containers to run without root privileges on the host system. In traditional Docker, the daemon runs as root, creating a potential security risk—if a container escapes, the attacker gains root access on the host. Rootless Docker runs the daemon and containers in a user namespace, mapping container root (UID 0) to an unprivileged user on the host.

This significantly reduces the impact of a container escape. Even if an attacker breaks out of a container, they only gain the privileges of the user running Docker, not root. Rootless mode is a major security improvement, especially for multi-tenant environments or untrusted workloads.

Rootless Docker is available in Docker Engine 19.03 and later. It's still experimental in some features but production-ready for many workloads.
How Rootless Docker Works: User Namespaces

Rootless Docker leverages Linux user namespaces, a kernel feature that allows a non-root user to act as root inside a namespace while remaining unprivileged outside. The Docker daemon runs as your user, and containers run inside a user namespace where UID 0 (root) is mapped to your unprivileged host UID.

Additionally, Rootless Docker uses several other technologies: slirp4netns for network connectivity, fuse-overlayfs for storage (or native overlayfs with kernel support), and cgroup v2 for resource limits (optional).

# Check if user namespaces are supported cat /proc/sys/user/max_user_namespaces # Check kernel version (needs 4.18+ for full support) uname -r # Verify rootless mode is active docker info | grep -i rootless # Check mapping of container root to host user cat /proc/self/uid_map
Installing Rootless Docker

Installing Rootless Docker is straightforward. You don't need to uninstall regular Docker—rootless can run alongside it.

# Install rootless Docker (Ubuntu/Debian) curl -fsSL https://get.docker.com/rootless | sh # Or manually install curl -fsSL https://get.docker.com -o get-docker.sh sh get-docker.sh --dry-run sh get-docker.sh --disable-rootless=false # Add to PATH in your shell config (~/.bashrc) export PATH=/home/$USER/bin:$PATH export DOCKER_HOST=unix:///run/user/$UID/docker.sock # Start rootless Docker service systemctl --user start docker systemctl --user enable docker # Verify installation docker info # Check that rootless mode is active docker info | grep -i "rootless" # Stop rootless Docker systemctl --user stop docker
After installation, Docker commands work the same way, but the daemon runs without root privileges. Use docker info to confirm "Rootless: true".
Rootless vs Rootful Docker: Feature Comparison
Feature Rootful Docker Rootless Docker
Daemon privileges Runs as root Runs as unprivileged user
Container escape impact Root access on host Unprivileged user access
Cgroup support Full (cgroup v1 and v2) Limited (cgroup v2 only)
Network performance Native slirp4netns (overhead)
Overlay networks (Swarm) Supported Not supported
AppArmor/SELinux Full support Limited
--privileged flag Works Not supported (security risk)
Host network (--net=host) Works Not supported
Security Benefits of Rootless Docker
  • Reduced attack surface - The Docker daemon doesn't run as root, limiting damage from vulnerabilities.
  • Container escape mitigation - Even if a container escapes, the attacker only gets your user privileges, not root.
  • No privileged containers - The --privileged flag is disabled, preventing containers from gaining host root.
  • Better multi-tenant isolation - Different users can run their own Docker daemons without interfering.
  • No sudo required - No need to add users to the docker group (which is equivalent to root access).
In a rootful Docker setup, any user in the docker group effectively has root access. Rootless Docker eliminates this risk entirely.
Limitations of Rootless Docker
  • No Swarm mode - Overlay networks and Docker Swarm are not supported in rootless mode.
  • No host network mode - `--network host` doesn't work because the container can't access the host's network stack.
  • No privileged containers - `--privileged` flag is not supported (security feature).
  • Cgroup v2 required - For resource limits (CPU, memory), you need cgroup v2 enabled on the host.
  • Performance overhead - Network has overhead due to slirp4netns (though usually acceptable).
  • No AppArmor/SELinux profiles - These LSM features don't work in rootless mode.
  • Storage driver limitations - Overlayfs requires extra configuration; fuse-overlayfs works but has overhead.
  • No checkpoint/restore - CRIU doesn't work in rootless mode.
Rootless Docker is not a drop-in replacement for all workloads. Test your specific use cases before deploying in production.
Enabling Cgroup v2 for Resource Limits

For resource limits (memory, CPU, pids) to work in rootless Docker, your host must use cgroup v2. Most modern Linux distributions now use cgroup v2 by default (Ubuntu 22.04+, Fedora 31+, Debian 11+).

# Check cgroup version mount | grep cgroup2 # If output shows cgroup2, you're on v2 # Or check stat -fc %T /sys/fs/cgroup/ # "cgroup2fs" means v2, "tmpfs" means v1 # Enable cgroup v2 (Ubuntu - requires reboot) # Edit kernel command line in /etc/default/grub GRUB_CMDLINE_LINUX_DEFAULT="systemd.unified_cgroup_hierarchy=1" # Update grub sudo update-grub sudo reboot # For rootless Docker, enable delegation sudo mkdir -p /etc/systemd/system/user@.service.d cat <
Setting Resource Limits in Rootless Mode

With cgroup v2 enabled, resource limits work the same way as in rootful Docker:

# Run container with memory limit docker run --memory=512m --memory-swap=1g nginx # Run with CPU limit docker run --cpus=0.5 nginx # Run with PIDs limit docker run --pids-limit=100 nginx # Check that limits are applied docker stats # Note: Without cgroup v2, these commands will work but limits won't be enforced
Networking in Rootless Mode

Rootless Docker uses slirp4netns to provide network connectivity. This creates a user-mode network stack that forwards traffic to the host. The performance is lower than native networking but sufficient for most workloads.

# Check slirp4netns version slirp4netns --version # Port forwarding works as usual docker run -d -p 8080:80 nginx # Inter-container communication works on user-defined bridges docker network create mynet docker run --network mynet --name app1 nginx docker run --network mynet alpine ping app1 # Note: --network host is NOT supported docker run --network host nginx # This will fail
When to Use Rootless Docker
  • Multi-tenant environments - Different users can run Docker independently without root access.
  • Shared development servers - Developers can run Docker without needing sudo or docker group membership.
  • CI/CD runners - Reduce security risk from untrusted code running in pipelines.
  • Education and training - Students can learn Docker without root access.
  • High-security environments - Where container escape is a major concern.
  • Personal workstations - Safer default for everyday Docker usage.
For most development and CI/CD use cases, rootless Docker is a great choice. For production Swarm clusters or workloads requiring host networking, use rootful Docker with proper security measures.
Troubleshooting Rootless Docker
# Check if rootless mode is active docker info | grep Rootless # View rootless daemon logs journalctl --user -u docker # Check user namespace support cat /proc/sys/user/max_user_namespaces # If 0, enable with: sudo sysctl -w user.max_user_namespaces=10000 # Check cgroup support docker run --rm --memory=256m alpine cat /sys/fs/cgroup/memory/memory.limit_in_bytes # Reset rootless Docker systemctl --user stop docker rm -rf ~/.local/share/docker systemctl --user start docker # Check slirp4netns which slirp4netns sudo apt install slirp4netns # if missing
Frequently Asked Questions
Is Rootless Docker production-ready?
For many workloads, yes. However, limitations like no Swarm mode and no host networking mean it's not suitable for all production scenarios. Test thoroughly before deploying.
Can I run both rootful and rootless Docker on the same machine?
Yes! They use different socket paths and storage locations. Rootful uses /var/run/docker.sock, rootless uses /run/user/$UID/docker.sock. You can switch by setting DOCKER_HOST.
Does Rootless Docker work on macOS/Windows?
No. Rootless Docker is a Linux-only feature. Docker Desktop for macOS/Windows already runs in a VM with different security boundaries.
What's the performance impact of rootless mode?
Network has some overhead (slirp4netns), typically 5-15%. Storage may have overhead if using fuse-overlayfs. For CPU/memory intensive workloads, the difference is minimal.
Can I use Docker Compose with rootless Docker?
Yes, Docker Compose works normally. It automatically detects the rootless Docker socket. Some features like Swarm mode in Compose will not work.
Do I need to add my user to the docker group for rootless?
No! Rootless Docker doesn't require the docker group. This is a security benefit—users can run Docker without any special privileges.
Why does my container have slow network in rootless mode?
Rootless uses slirp4netns for networking, which has higher latency than native networking. For better performance, ensure you have the latest slirp4netns version and consider using host networking if your workload requires it (not supported in rootless).
Should I use rootless Docker for production?
For single-node production applications that don't need Swarm mode or host networking, yes. For multi-node orchestration, use Kubernetes or rootful Docker Swarm with proper security hardening.
Previous: Docker Secrets Management Next: Kubernetes Basics

Rootless Docker significantly improves container security by eliminating root privileges. While it has limitations, it's an excellent choice for development, CI/CD, and many production workloads.