Rootless Docker/Moby was initially proposed in early 2018 and has been merged to the Docker/Moby upstream since Docker 19.03.
Docker 19.03 provides almost full features for Rootless mode, including support
for port fowarding (
docker run -p) and multi-container networking (
docker network create),
but it doesn’t support limiting resources with cgroup.
Docker 20.10 added support for limiting resources using cgroup v2.
Please read the common steps first.
Especially, make sure
$XDG_RUNTIME_DIRto be set properly.
The official installation script can be executed by a non-root user without
$ curl -fsSL https://get.docker.com/rootless | sh
$ curl -fsSL https://get.docker.com/rootless | CHANNEL=test sh
$ curl -fsSL https://get.docker.com/rootless | CHANNEL=nightly sh
Docker 20.10 provides
docker-ce-rootless-extras RPMs and DEBs that can be installed by the root for all the users on the host.
$ curl -fsSL https://get.docker.com | sudo sh $ sudo apt-get install -y docker-ce-rootless-extras
After installing RPMs/DEBS, run the following command as a non-root user to create the systemd user-instance unit:
$ dockerd-rootless-setuptool.sh install
$ export PATH=$HOME/bin:$PATH $ export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock $ docker run hello-world
To start/stop the daemon, use
systemctl --user <start|stop> docker instead of
systemctl <start|stop> docker.
The systemd unit file is located as
Resource-related flags of
docker run, such as
--pids-limit can be used only when the following conditions are satisfied:
- Docker/Moby version is 20.10 or later
- containerd version is 1.4 or later
- runc version is 1.0-rc91 or later
- The host is running with cgroup v2
- The host is running with systemd
To impose resource limitations without cgroup, see https://docs.docker.com/engine/security/rootless/#limiting-resources
If slirp4netns is not installed on your host, download the official slirp4netns binary
~/bin so that Docker/Moby can pick it up automatically. The functionalities are same as VPNKit, but slirp4netns is known to have better throughput.
However, slirp4netns is not included in the Docker package because they did not want to distribute slirp4netns’s GPL2 binary along with Apache License 2.0 binaries.
Docker/Moby also supports lxc-user-nic SETUID binary experimentally: https://docs.docker.com/engine/security/rootless/#changing-the-network-stack
Docker/Moby uses RootlessKit as the default port forwarder.
However, as explained in How it works, sometimes slirp4netns port forwarder is preferred over RootlessKit port forwarder.
To change the port forwarder to slirp4netns, add the following line to the
[Service] section of
And then restart the daemon:
$ systemctl --user daemon-reload $ systemctl --user restart docker
You need to run
sudo loginctl enable-linger .... See Getting Started/Login.
Run the following commands to remove all containers and configurations:
$ systemctl --user stop docker $ systemctl --user disable docker $ rm -f ~/.config/systemd/user/docker.service $ ~/bin/rootlesskit rm -rf ~/.local/share/docker ~/.config/docker
To uninstall binaries, remove the following files under
containerd containerd-shim containerd-shim-runc-v2 ctr docker docker-init docker-proxy dockerd dockerd-rootless-setuptool.sh dockerd-rootless.sh rootlesskit rootlesskit-docker-proxy runc vpnkit