Docker Rootless on Ubuntu (2026 Guide)

Docker Rootless Installation on Ubuntu
Quick one-liner: All the container power, none of the root-level risk.

Why This Matters

When I first started with Docker, I ran everything as root. It was easy, it worked, and I didn't think twice about it. Then I learned that a container escape vulnerability could give an attacker full root access to my entire system. That's when I switched to rootless Docker — and you should too.

Rootless Docker runs the Docker daemon entirely under your regular user account. No sudo required. No root privileges for container operations. If a container gets compromised, the attacker is stuck with your user's permissions — not root.

You asked, I delivered: This guide was the #1 request in my LinkedIn poll (Ubuntu/Linux Mint won with 50% of votes).

Planning Disk Space

In rootless mode, Docker stores all images, containers, volumes, and build cache under your home directory at ~/.local/share/docker. This means your home directory needs enough space to hold everything you work with.

For following along with this guide, plan for at least 20 GB of free space in your home directory. If you are setting up a dedicated Docker host, consider giving the home partition 50 GB or more to accommodate larger images and persistent data volumes.

You can check your available space with:

df -h ~

Prerequisites

  • Operating System: Ubuntu 22.04 or higher (also works on Linux Mint, Pop!_OS)
  • Disk Space: At least 20 GB free in your home directory
  • Time: 15-20 minutes
  • Access: Sudo privileges for initial installation only

Step 1: Remove Old Docker Packages

Remove any old or conflicting Docker packages that may have been installed from the distribution repositories:

sudo apt remove docker.io docker-compose docker-compose-v2 \
    docker-doc podman-docker containerd runc

This ensures a clean starting point before installing Docker from the official repository.

Step 2: Set Up Docker's APT Repository

Install prerequisites and add Docker's official GPG key:

sudo apt update
sudo apt install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
    -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

Add the Docker repository to your APT sources:

sudo tee /etc/apt/sources.list.d/docker.sources <<EOF
Types: deb
URIs: https://download.docker.com/linux/ubuntu
Suites: $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}")
Components: stable
Signed-By: /etc/apt/keyrings/docker.asc
EOF
sudo apt update

Step 3: Install Docker Packages

sudo apt install docker-ce docker-ce-cli containerd.io \
    docker-buildx-plugin docker-compose-plugin

Step 5: Install Rootless Prerequisites

Rootless Docker requires uidmap (for user namespace mapping) and dbus-user-session (for systemd user services):

sudo apt install uidmap dbus-user-session

Step 6: Set Up Rootless Docker

From this point on, no sudo is required.

First, make sure the system-wide Docker daemon is not running. Rootless Docker runs its own daemon under your user account:

sudo systemctl disable --now docker.service docker.socket

Now run the rootless setup script as your regular user:

dockerd-rootless-setuptool.sh install

You should see output ending with:

[INFO] Installed docker.service successfully.
[INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service`
[INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger [username]`

Enable your user's Docker service to start automatically on boot:

systemctl --user enable --now docker

Enable lingering so your user services start at boot even without a login session:

sudo loginctl enable-linger [username]

Replace [username] with your actual username.

Verification

Here's how to confirm everything worked:

1. Test with the hello-world image:

docker run hello-world

This command downloads a small test image from Docker Hub and runs it. You should see a message starting with:

Hello from Docker!
This message shows that your installation appears to be working correctly.

2. Confirm rootless mode:

docker info | grep -i context

You should see:

Context:    rootless

3. Test with a real container (jq demo):

Instead of the usual hello-world, let's verify with something useful. We'll create a sample JSON file and use Docker to parse it with jq — without installing anything locally:

First, create the sample JSON file:

echo '{"name":"David","company":"Transcend Solutions","role":"DevOps Engineer","skills":["Docker","Kubernetes","Linux"],"location":"Singapore","experience_years":15}' > sample.json

Now parse it with Docker and jq:

cat sample.json | docker run --rm -i ghcr.io/jqlang/jq '.'

First time, you'll see:

Unable to find image 'ghcr.io/jqlang/jq:latest' locally
Downloaded newer image for ghcr.io/jqlang/jq:latest

Then the output — beautifully formatted JSON:

{
  "name": "David",
  "company": "Transcend Solutions",
  "role": "DevOps Engineer",
  "skills": [
    "Docker",
    "Kubernetes",
    "Linux"
  ],
  "location": "Singapore",
  "experience_years": 15
}

No installation. No sudo. Same command on any system with Docker.

4. List running containers:

docker ps -a

This shows all containers, including stopped ones (with status Exited):

CONTAINER ID   IMAGE          COMMAND    CREATED        STATUS                     PORTS   NAMES
a1b2c3d4e5f6   hello-world   "/hello"   5 minutes ago  Exited (0) 5 minutes ago          peaceful_hofstadter

Rootless Limitations

Running Docker in rootless mode has a few limitations to be aware of:

  • No ports below 1024 — rootless containers cannot bind to privileged ports (like 80 or 443) directly. We address this in Chapter 7 using a rootful nginx proxy container.
  • Storage in home directory — all images and data live under ~/.local/share/docker, so ensure your home directory has adequate space.
  • No ping from containers — ICMP packets require root privileges. Use curl or wget to test connectivity instead.

These are minor tradeoffs for the significant security benefit of never running the Docker daemon as root.

Exercise

  1. Run docker info and identify how many containers are running, paused, and stopped on your system. Confirm the output shows Context: rootless.
  2. Run the hello-world test image again and verify it appears in the stopped containers list: 
    docker run hello-world
docker ps -a
    You should see the hello-world container with status "Exited".
  3. Check how much disk space Docker is using in your home directory with du -sh ~/.local/share/docker.

What's Next

Now that you have a secure rootless Docker environment on Ubuntu, you're ready to:

  • Pull and run your first containers
  • Learn about Docker volumes for persistent data
  • Set up multi-container applications with Docker Compose

Want more? This guide is adapted from Chapter 1: Preparing Docker Host in my book "Levelling Up with Docker" — 14 chapters covering volumes, networking, Compose, production deployments, and more.

Found this helpful? Share it with someone learning Docker!

📚 Want to Go Deeper?

Levelling Up with Docker by David Tio
14 chapters of practical Docker guides

Get on Amazon →

Published: 4 March 2026

Author: David Tio

Source: Chapter 1: Preparing Docker Host

Tags: Docker, Ubuntu, Linux, Rootless, DevOps, Tutorial

Poll Winner: Ubuntu / Linux Mint(57% of LinkedIn poll votes)

Comments

Post a Comment

Popular posts from this blog

SLES 15 LVM + XFS Without Separate /boot Partition

Image
GRUB2 allow booting from LVM partition, however I haven't see any documentation on how to setup SLES 15 using LVM + XFS root partition without separate /boot partition. You can even put /boot as one of the logical volume. When separate /boot partition is not created, we will need to create small partition with BIOS boot flag and once this BIOS boot partition is created, you can setup the remaining disk as LVM partition and setup your volume group and logical volumes as usual.    During the installation, choose "Expert Partitioner" > "Start with Existing Partitions". Select your disk and "Create New Partition Table" > "GPT" Select "Partitions" tab and choose "Add Partition" Choose "Custom Size" then enter "8 MiB" as the size. The Role of this partition should be "Raw Volume (unformatted)" Select BIOS Boot as Partition ID Create another partition as LVM pa...
Read more

pfSense and scp

pfSense and scp doesn't play nice. When you try to scp to admin@pfsense.hostname you will likely encounter the error " Illegal option -[X] " The solution to this is rather simple too, when running scp to pfSense, just use the root account.  Cheers
Read more

SupportConfig Analysis for SLES 12

Image
SLES comes with tools to analyse supportconfig data called Support Config Analysis (SCA). This tool is not installed by default, but it is quite simple to install and run.  All you need are the next few commands and you are on the way to see how you can tune your SLES. # zypper in sca-server-report sca-patterns-sle12 # scatool -s The report will be generated at /var/log/nts_XXX.html and is viewable via your favourite web browser. It will look something like the following screenshot There are links that you can follow to see the solutions details. Happy Tuning!!!
Read more