Careful consideration should be taken when attempting to run anything with elevated permissions. For Linux-based systems, this involves root or sudo. Running Docker without root access (“rootless”) avoids the overhead of hosting containers with these elevated permissions, which can help simplify resource management and even improve performance in environments with strict security practices. I sometimes choose to run Docker without root access, unless required otherwise, and here are some reasons why you may wish to do so too.
It’s worth noting right off the bat that choosing to install and run rootless Docker requires a few things to be configured before doing so. There’s a great official guide on prepping your host system linked above that I highly recommend reading through to get a better understanding of the process you’re about to undertake. So, why would one wish to run rootless Docker?
Creates a more secure environment
Keep it hidden, keep it safe
Rootless Docker adheres to regulatory frameworks, such as Payment Card Industry Data Security Standard (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA), but it’s important even if you don’t specifically need to meet these strict requirements. The whole point of Docker is to keep services and software isolated from one another. Running Docker as root only serves to increase the risk of something going horribly wrong. Using non-root users minimizes the risk of privilege escalation attacks. Should a container be compromised, the malicious party can work to gain access to the user running Docker.
If a container is compromised, attackers can only gain access to the user running Docker, not the entire host system. This is a critical defense against container escape attacks, which are a common threat in containerized environments. If a container gains access to the root user, it can potentially access the host’s filesystem, network interfaces, and even other containers. Rootless Docker limits this risk by ensuring that containers run under user namespaces, which isolate the container’s processes from the host’s user space.
It’s easier to troubleshoot
Work out where you went wrong
Because we don’t need to use sudo or elevated root privileges to run Docker, we don’t need to rely on these for running containers. Should something go wrong with a specific container, it can be easier to work through the troubleshooting steps and even have the developer work out what’s going wrong. It also helps prevent any accidental misuse of the root. Developers will recommend running containers without elevated permissions, but you may require doing so for specific features such as hardware passthrough.
But even then, it’s possible to work around this limitation by adding GPU access to users within the Docker environment, using tools like NVIDIA Container Toolkit or user namespaces. Want to try something new? Suppose you’re running Docker on an SBC or other low-power device. In that case, every cycle counts, and not having to worry about elevating permissions and navigating checks can make a significant difference.
Keeps everything isolated
Even if a container has undisclosed vulnerabilities, rootless Docker prevents attackers from escalating privileges to the host. This is a critical defense against container escape attacks, which are a common threat in containerized environments. It’s also why we’re seeing increasing adoption of rootless operations in production environments. Rootless Docker leverages user namespaces and capabilities (CAP_NET_BIND_SERVICE, etc.) to grant containers only the permissions they need. This reduces the attack surface and ensures that even if a container is compromised, it cannot access the host’s filesystem or network interfaces.
In multi-tenant environments, rootless Docker can be used to isolate workloads across different users or teams. For example, in a cloud provider’s infrastructure, each tenant’s containers run under their own user namespace, preventing them from interfering with one another. Although requiring advanced procedures to get up and running, as well as ways to get around potential obstacles, rootless Docker has many benefits that may relate to your own deployment.
It’s not just for developers
Running rootless Docker isn’t just for enthusiasts or those with strict security guidelines. In any production environment, rootless Docker can help mitigate malicious execution through enhanced isolation of containers from the host system. It’s also great for cloud deployments, where you can run containers with different users that don’t interfere with one another. Kubernetes is rootless, for example, and is relied upon by many to launch and run applications at scale.
It’s also not that difficult to set up. Podman exists, which is a rootless container engine and can work out of the box with minimal human input. Docker Desktop even has a rootless mode for quickly enabling this feature, and can be installed on Linux distros. In fact, if you’re just starting with Docker, I suggest using Docker Desktop to get started and gradually transition to the CLI once you’ve gotten the hang of how everything works, especially with this rootless approach.
But do you really need to run Docker rootless?
Not really. You can get by so long as you follow basic security protocols. Ensure you configure the containers with bridge or IPvlan, never run them as privileged, and avoid using the Docker socket for things like Portainer. That said, there’s no harm in running rootless Docker, and it can teach you a few things about securing Docker and its isolated sandboxed environments so that your system (and wider network) is better protected against potential vulnerabilities. Like everything with tech, it’s all about what you need it to do.