Docker stack with access from local and remote

Docker Design Disadvantages

Docker stack with access from local and remote

Daemon runs as root

Client controls daemon without authentication

Security issues

docker run -v /:/host

docker run -v /var/run/docker.sock:

docker run --privileged

Rootless Docker IS NOT

Running as non-root in a container

Forcing a user docker run/exec --user $(id -u):$(id -g) ...

Executing docker from a non-root account

Enabling user namespace mapping

Rootless Docker IS

Running containers as non-root

Based on user namespaces

GA since Docker 20.10

Limitations of Rootless Docker

OverlayFS only on Ubuntu

Reduced network performance

Unable to open ports below 1024

No cgroup (resource management)

Rootless Docker


Registers dockerd as systemd user unit

curl -fsSL | sh


docker context use rootless

Rootless Inception

Docker Rootless in Docker Rootful

docker run -d --name dind-rootless --privileged \

Privileged container is required for:

Remote Rootless Docker

Remote access to rootless Docker via secure TCP

    --host tcp:// \
    --tlsverify \
    --tlscacert=ca.pem \
    --tlscert=cert.pem \

Remoting through SSH also works…

…but DOCKER_HOST must be set and available

Good to know

Official documentation

Resource management required cgroup v2

Container UID 0 is mapped to host UID of user

All other container UIDs are mapped to high UIDs


Rootless Podman is also a thing

Rootless BuildKit

Official documentation

Run buildkitd

rootlesskit --net=slirp4netns --copy-up=/etc --disable-host-loopback \

(add --oci-worker-snapshotter=native when fuse-overlayfs produces errors)

Build locally

buildctl --addr unix:///run/user/$UID/buildkit/buildkitd.sock \
    build ...

Rootless BuildKit Inception

Run containerized buildkitd

docker run --name buildkitd -d \
    --security-opt seccomp=unconfined \
    --security-opt apparmor=unconfined \
    --device /dev/fuse \
    moby/buildkit:rootless --oci-worker-no-process-sandbox

Build against container

buildctl --addr docker-container://buildkitd \
    build ...

Rootless containerd

Official documentation

Install and run

mkdir -p ~/bin
curl -sLo bin/
curl -sLo bin/
curl -sL$R/raw/$V/$P/$S | \
    bash -s install

Under the Hood of Rootless

It’s all based on user namespaces

The person behind rootless implementations: Akihiro Suda

The code behind setting up rootless: rootlesskit

Networking for rootless: slirp4netns

Home of Rootless Containers

Rootless Playground

Homebrew tap maintained by @nicholasdille

Install nerdctl and friends

brew tap nicholasdille/tap
brew install containerd buildkit nerdctl

Play with them

Follow the official documentation (links above)

Rootless Workplace

Very much work in progress

Please report issues


brew tap nicholasdille/tap
brew tap nicholasdille/immortal
brew install dockerd-rootless
brew immortal start dockerd-rootless
docker context create rootless \
    --description "Docker Rootless" \
    --docker "host=unix:///home/linuxbrew/.linuxbrew/var/run/dockerd/docker.sock"
docker context use rootless
docker version


brew tap nicholasdille/tap
brew tap nicholasdille/immortal
brew install buildkitd-rootless
brew immortal start buildkitd-rootless
export BUILDKIT_HOST=unix:///home/linuxbrew/.linuxbrew/var/run/buildkitd/buildkit/buildkitd.sock
buildctl build ...


brew tap nicholasdille/tap
brew tap nicholasdille/immortal
brew install containerd-rootless
brew immortal start containerd-rootless


brew tap nicholasdille/tap
brew tap nicholasdille/immortal
brew install nerdctl-immortal
brew immortal start nerdctl-containerd
brew immortal start nerdctl-buildkitd
nerdctl-rootless version

Rootless Kubernetes

Official documentation

Requires cgroup v2, systemd user, uidmap

Requires feature gate KubeletInUserNamespace

Rootless KinD

Official documentation, some loose ends

Requires cgroup v2

export DOCKER_HOST=unix://${XDG_RUNTIME_DIR}/docker.sock
kind create cluster

Rootless Notes

usernetes: Run Kubernetes without root privileges

sysbox: Open-source, next-generation “runc” that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs

WSL2 and cgroup v2: Requires change in Microsoft owned init for service VM