How to Run Rootless Docker Containers
Ever found yourself in a situation where you want to use Docker but don’t have root access? Or perhaps you wish to provide Docker access to your team or clients but aren’t comfortable giving them root privileges.
The solution to this problem is rootless Docker containers. Read on to learn what it’s all about and how to set it up for yourself.

What Is Rootless Docker?
Rootless Docker installations require only the Docker daemon to run as root, while Docker containers operate as regular Linux users. Docker usually requires root access on the host system, creating a security risk since both the Docker container and the daemon service will operate as root. This means a compromised service operating in a container provides the attacker access to the system files because containers are not truly isolated.
The open source Podman project was the first solution to run containers without root access. Feeling the pressure, Docker added similar functionality, enabling other users to manage Docker containers in a rootless environment. In addition, the rootless installation is available directly from Docker, eliminating the need to utilize Podman.
How Rootless Docker Works
Many Docker features require you to provide root-level access. Rootless mode circumvents this limitation by utilizing something known as user namespaces.
User namespaces can map user IDs so that the inner namespace root user maps to an unprivileged range in the parent namespace. Since user namespaces have existed for quite a while, this feature has been available in Docker for some time.
The rootless mode operates similarly, except it first creates a user namespace and then starts the daemon in the remapped namespace. The daemon and containers use a different user namespace than the host.
Prerequisites
- A Linux server with root-level access.
- Install uidmap to remap Linux users.
Configuring the System With uidmap Before Docker Installation
Install uidmap with the following command.
apt-get install uidmap -y
How to Install Rootless Docker
Now that the system is ready, we can proceed with installing rootless Docker. It’s easy using the steps outlined below.
Step 1:
First, download the rootless Docker installation from their website with the following command.
curl -sSL https://get.docker.com/rootless | sh
Step 2:
Once the installation completes, open the .bashrc file with your favorite text editor, as shown below.
vi ~/.bashrc
Step 3:
Add the following two environmental variables to the file.
export PATH=/home/$user/bin:$PATH
export DOCKER_HOST=unix:///run/user/$id/docker.sock
Replace $user with the Linux user you want to install Docker for and replace $id with that user’s ID code. If you don’t know the ID, you can retrieve it using the following command.
id
Step 4:
Save the changes you made to the file by pressing the Esc key to enter Command mode, and then type :wq to write and quit the file.
Step 5:
Initiate the rootless Docker daemon with the following command, but make sure to replace $user with the proper Linux user.
systemctl --$user start docker
How to Configure Rootless Docker
Here are some good practices to consider when using rootless Docker.
Step 1:Rootless Docker in Regular Docker
To use rootless Docker inside root Docker, use docker:<version>-dind-rootless (not merely docker:<version>-dind). See the command below for reference.
docker run -d --name dind-rootless --privileged docker:20.10-dind-rootless
Step 2: Ping Packet Routing
To make ping work, open /etc/sysctl.conf and add the code below.
net.ipv4.ping_group_range = 0 2147483647
To use ping, run the following command.
sudo sysctl --system
Step 3: Expose Privileged Ports
To expose privileged ports, set CAP_NET_BIND_SERVICE on the rootlesskit binary, followed by a restart. See the two commands below.
sudo setcap cap_net_bind_service=ep $(which rootlesskit)
systemctl --user restart docker
Use Cases for Running Rootless Docker Containers
Now that you’ve installed and configured rootless Docker, you might wonder what its use cases are.
Shared Development Environments
Software development teams often share the same server environments, and their understanding of Linux and DevOps practices can vary. Thanks to rootless Docker containers, businesses can install a separate container for their Linux users without impacting other employees using the same server.
Cost-Saving Measures
Perhaps you’re offering a service that requires your clients to use Docker. Instead of running a separate server instance for each user, you can cut costs by hosting multiple users on the same server with rootless Docker containers.
Overcome Hosting Limitations
Another good use case for rootless Docker is when your hosting company or hosting plan doesn’t have root access. Provided the support team can install the uidmap package, you can potentially set up rootless Docker yourself.
Limitations of Rootless Docker
While rootless Docker containers are a great solution with many use cases, there are some limits of which you should be aware.
Limited Support of Storage Drivers
Rootless Docker only supports the following storage drivers:
- overlay2
- fuse-overlayfs
- btrfs
- vfs
Limited Features
The following Docker features are not supported:
- AppArmor
- Checkpoint
- overlay network
- exposing SCTP ports
Cgroup Limits
Cgroup is only supported when you run it with systemd and cgroup 2.
Testing Rootless Docker
After completing the setup, test the rootless Docker container. To do this, follow the steps outlined below.
Step 1:
To check the proper installation of Docker, issue the following command.
docker run hello-world
If you get the following message, all is well.
Hello from Docker! This message shows that your installation appears to be working correctly.
Step 2:
Now, it’s time to test if Docker works in rootless mode by attempting to run a container with the following command.
docker run -it ubuntu bash
Step 3:
Finally, run the following command to verify that the process is running correctly.
ps aux
Final Thoughts
This guide helps you know what rootless Docker is and how it works. Installing and running rootless Docker allows developers and administrators to save costs and server resources. Proper testing after installation goes a long way to ensure you are ready to run your containers when needed.
Are you looking for a Linux server for your next Docker-dependent project? Liquid Web offers a variety of Dedicated Server solutions to suit your needs. Contact our sales team to learn more.
Related Articles:

About the Author: Joseph Molloy
Liquid Web Security Operations tech Joseph spends his days cleaning up malware and doing his part to keep the Internet safe. He is interested in all things Linux and always looking for something new to learn. In addition, he enjoys cooking and playing guitar, is an avid horror and sci-fi reader, and is a fan of black metal music.
Our Sales and Support teams are available 24 hours by phone or e-mail to assist.
Latest Articles
How to Install WordPress on Linux (AlmaLinux)
Read ArticleWhat is CentOS? Everything You Need to Know
Read ArticleWhat is CentOS? Everything You Need to Know
Read ArticleRedis as Cache: How It Works and Why You Should Use It
Read ArticleRefer-a-Friend Program for Website Hosting: Get $100 for Each Friend!
Read Article