Rootless mode allows running the Docker daemon and containers as a non-root user to mitigate potential vulnerabilities in the daemon and the container runtime.

Rootless mode does not require root privileges even during the installation of the Docker daemon, as long as the prerequisites are met.

Rootless mode executes the Docker daemon and containers inside a user namespace. This is very similar to userns-remap mode, except that with userns-remap mode, the daemon itself is running with root privileges, whereas in rootless mode, both the daemon and the container are running without root privileges.

Rootless mode does not use binaries with SETUID bits or file capabilities, except newuidmap and newgidmap, which are needed to allow multiple UIDs/GIDs to be used in the user namespace.

You must install newuidmap and newgidmap on the host. These commands are provided by the uidmap package on most distros.

/etc/subuid and /etc/subgid should contain at least 65,536 subordinate UIDs/GIDs for the user. In the following example, the user testuser has 65,536 subordinate UIDs/GIDs (231072-296607).

Tip

We recommend that you use the Ubuntu kernel.

Install dbus-user-session package if not installed. Run sudo apt-get install -y dbus-user-session and relogin.

Install uidmap package if not installed. Run sudo apt-get install -y uidmap.

If running in a terminal where the user was not directly logged into, you will need to install systemd-container with sudo apt-get install -y systemd-container, then switch to TheUser with the command sudo machinectl shell TheUser@.

overlay2 storage driver is enabled by default ( Ubuntu-specific kernel patch).

Ubuntu 24.04 and later enables restricted unprivileged user namespaces by default, which prevents unprivileged processes in creating user namespaces unless an AppArmor profile is configured to allow programs to use unprivileged user namespaces.

If you install docker-ce-rootless-extras using the deb package (apt-get install docker-ce-rootless-extras), then the AppArmor profile for rootlesskit is already bundled with the apparmor deb package. With this installation method, you don't need to add any manual the AppArmor configuration. If you install the rootless extras using the installation script, however, you must add an AppArmor profile for rootlesskit manually:

Create and install the currently logged-in user's AppArmor profile: