Docker Rootless: high security and high performance

On installing docker on Ubuntu or Debian system using the following command…

$ curl -sSL https://get.docker.com/ | sh

We might get the following message at the end of the command that says…

To run Docker as a non-privileged user, consider setting up the
Docker daemon in rootless mode for your user:

    dockerd-rootless-setuptool.sh install

Visit https://docs.docker.com/go/rootless/ to learn about rootless mode.

What does that mean?

By default, Docker requires root privileges to run, as it interacts with system-level components such as Docker daemon and system resources like networking and storage. However, running Docker as root can pose security risks.

To mitigate these risks and allow non-privileged users to run Docker without granting them root access, Docker introduced a feature called “rootless mode”. In rootless mode, the Docker daemon and containers run entirely within the user’s own namespace, without needing root privileges. In this article, we will explore how Rootless mode works, setting up, advantages, limitations and use cases.

🤔 How Rootless mode work?

Docker rootless fundamentally changes the traditional way of running the both Docker daemon and containers as an unprivileged user. This is how it is done:

First, rootless mode uses user namespace, which is a Linux kernel feature that lets unprivileged users create containers. Inside these namespaces, a user can have privileges that look like root permissions, but these privileges are actually restricted to the namespace. This is the same as having admin rights in a sandbox - we can do administrative tasks, but only within that confined space.

The rootless mode operates by running the Docker daemon as a regular user process instead of root. This daemon process creates a user namespace where it appears to have root privileges, but these privileges don’t extend outside the namespace.

Network management becomes interesting in rootless mode. For port binding below 1024 (traditionally requiring root), rootless mode can use rootlesskit, which provides an unprivileged port mapping feature. This lets containers bind to privileged ports through user-space root privileges.

One important technical detail is how subuid and subgid mapping work. The system needs to map the user’s UID inside the containers to a range of UIDs on the host system. This mapping is configured in /etc/subuid and /etc/subgid, allowing the user namespace to work properly while maintaining security isolation.

🟡 Prerequisites

Before setting up Docker in Rootless mode, there are several prerequisites to consider:

You must install newuidmap and newgidmap on the host. These commands are provided by the uidmap package.
For Debian / Ubuntu:

$ sudo apt-get install uidmap

• Check Current User’s UID/GID: /etc/subuid and /etc/subgid contains a significant number of subordinate UIDs/GIDs for the user. Let’s verify that:

$ id -u
1001
$ whoami
jiisanda
$ grep ^$(whoami): /etc/subuid
jiisanda:231072:65536
$ grep ^$(whoami): /etc/subgid
jiisanda:231072:65536

By verifying these steps, you ensure that the user running Docker in Rootless mode has a sufficient number of subordinate UIDs/GIDs allocated for proper operation.

• Install the dbus-user-session package: On Ubuntu, installing the dbus-user-session package is recommended for proper functioning of certain system services and components. This package provides the D-Bus session bus for user sessions, which can be crucial for running services like Docker.

To install dbus-user-session using the following command…

$ sudo apt-get install dbus-user-session

📥 Install

If the system-wide Docker daemon is already running, consider disabling it:

$ sudo systemctl disable –now docker.service docker.socket
$ sudo rm /var/run/docker.sock

If installed Docker 20.10 or later with RPM/DEB packages, it’s a pretty simple set up. You should have docker-rootless-setuptools.sh in /usr/bin.

Run dockerd-rootless-setuptool.sh install as a non-root user to set up the daemon:

$ dockerd-rootless-setuptool.sh install
[INFO] Creating /home/testuser/.config/systemd/user/docker.service
...
[INFO] Installed docker.service successfully.
[INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service`
[INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger testuser`

[INFO] Make sure the following environment variables are set (or add them to ~/.bashrc):

$ export PATH=/usr/bin:$PATH
$ export DOCKER_HOST=unix:///run/user/1000/docker.sock

If dockerd-rootless-setuptool.sh is not present, you may need to install the docker-ce-rootless-extras package manually, as…

$ sudo apt-get install -y docker-ce-rootless-extras

✅ Best Practices for using Docker Rootless

1. Ensure Your System Meets Requirements

   • Use a modern Linux kernel (5.11+ recommended for better performance).
   • Install necessary dependencies like uidmap, slirp4netns, fuse-overlayfs.
   • Run dockerd-rootless-setuptool.sh check to verify system compatibility.

2. Use OverlayFS for Better Performance

   • By default, fuse-overlayfs is used in rootless mode.
   • If your system supports it, enable OverlayFS (--storage-driver=overlay2) for better disk performance.

3. Optimize Networking for Performance

   • Rootless mode uses slirp4netns for user-space networking, which can be slower.
   • If possible, use Host networking (--network=host) when running containers that require better performance.
   • Consider VPNKit or RootlessKit for improved networking options.

4. Use Systemd for Better Stability

   • Start Docker Rootless with systemd instead of running it manually, this ensures Docker restarts automatically after a system reboot:

   $ systemctl --user enable docker
   $ systemctl --user start docker
   

5. Limit Resource Usage

   • Since Rootless Docker runs as a user process, it doesn’t have system-wide privileges.
   • Use cgroups v2 to set resource limits for CPU, memory, and I/O.

   Example:
   

   $ docker run --memory=512m --cpus=1 my-container
   

6. Enable Logging & Debugging

   • Check logs to troubleshoot issues, after running the command below run docker info to verify that Docker is running in rootless mode:

   $ journalctl --user -u docker.service
   

🚀 Use cases for Docker Rootless

1. Multi-User Environments (Universities, Research Labs)

   • Allows different users to run containers without needing root privileges.
   • Prevents one user’s container from affecting another user’s work.

2. Secure Development Environments

   • Developers can run Docker without risking system security.
   • Ideal for isolated testing and running containers on personal machines.

3. CI/CD Pipelines

   • Useful for CI/CD environments where security is a priority.
   • No need to grant root access to build agents running Docker.

4. Shared Hosting & Workstations

   • Hosting providers can allow customers to run Docker containers without exposing the entire system.
   • Perfect for corporate workstations where security policies prohibit root access.

5. Running Containers in Restricted Environments

   • If you don’t have sudo access (e.g., cloud-hosted VMs or corporate laptops), rootless mode allows you to use Docker safely.

🚨 When NOT to Use Docker Rootless

• ❌ High-Performance Production Environments

  • Rootless networking (slirp4netns) is slower than rootful networking. Storage performance is slightly lower without direct disk access.

• ❌ If You Need Privileged Containers

  • Rootless Docker cannot run privileged containers (--privileged flag won’t work). Containers cannot access low-level hardware (e.g., GPUs, USB devices).

• ❌ If You Need System-Wide Networking

  • Rootless mode does not support port bindings under 1024 (e.g., you can’t expose 80:80). Workarounds exist (iptables tricks), but it’s not as flexible as rootful Docker.

Conclusion

Docker Rootless is a great choice for secure, non-privileged environments like development, CI/CD, and multi-user systems. However, for production workloads requiring high performance, rootful Docker is still the better option.