How to Install Docker Rootless on SLES 15/16 (2026 Guide)

Docker Rootless Installation on SLES
Quick one-liner: Install Docker in rootless mode on SUSE Linux Enterprise Server (SLES) 15 or 16 using openSUSE repositories — no root privileges required for daily container operations.

Why This Matters

When I first started with Docker, I ran everything as root. It was easy, it worked, and I didn't think twice about it. Then I learned that a container escape vulnerability could give an attacker full root access to my entire system. That's when I switched to rootless Docker — and you should too.

Rootless Docker runs the Docker daemon entirely under your regular user account. No sudo required. No root privileges for container operations. If a container gets compromised, the attacker is stuck with your user's permissions — not root.

Why SLES? This guide was written based on community votes — many of you asked for SUSE-specific instructions. Here's the thing: Docker CE doesn't publish official packages for SLES. Instead, we use the openSUSE Virtualization:containers and security:netfilter repositories, which provide docker-stable and docker-stable-rootless-extras packages that work perfectly on SLES.

This guide walks you through the entire process step by step for SUSE Linux Enterprise Server (SLES) 15 and 16.

Prerequisites

  • Operating System: SUSE Linux Enterprise Server (SLES) 15 or 16
  • Disk Space: At least 20 GB free in your home directory (check with df -h ~)
  • Time: 15-20 minutes
  • Access: Sudo privileges for initial installation only
  • Repositories: Access to openSUSE repositories (default on most SLES installations)

Step 1: Remove Old Docker Packages

Before installing Docker from the openSUSE repositories, remove any conflicting packages from your distribution's default repos.

For SLES:

sudo zypper remove docker docker-client docker-client-latest \
    docker-common docker-latest docker-latest-logrotate \
    docker-logrotate docker-engine podman runc

This ensures a clean starting point and prevents package conflicts.

Step 2: Add openSUSE Repositories

Docker CE doesn't publish official packages for SLES. Instead, we use the openSUSE repositories which maintain up-to-date Docker packages for SLES.

Add the Virtualization:containers repository:

sudo zypper addrepo \
    https://download.opensuse.org/repositories/\
Virtualization:/containers/16.0/\
Virtualization:containers.repo

For SLES 15.x, use this instead:

sudo zypper addrepo \
    https://download.opensuse.org/repositories/\
Virtualization:/containers/15.7/\
Virtualization:containers.repo

Add the security:netfilter repository (required for rootless extras):

sudo zypper addrepo \
    https://download.opensuse.org/repositories/\
security:netfilter/16.0/\
security:netfilter.repo

For SLES 15.x, use this instead:

sudo zypper addrepo \
    https://download.opensuse.org/repositories/\
security:netfilter/15.7/\
security:netfilter.repo

Refresh the repositories:

sudo zypper refresh

Browse available versions: If you're using a different SLES version, browse the available releases at:

Step 3: Install Docker Rootless

Install the docker-stable-rootless-extras package. This pulls in docker-stable and all other required dependencies automatically.

sudo zypper install -y docker-stable-rootless-extras

What gets installed:

  • docker-stable — The Docker daemon and CLI
  • docker-stable-rootless-extras — Rootless mode support files
  • All required dependencies (containerd, runc, etc.)
Note: Unlike Docker CE packages, the openSUSE docker-stable package does not include the Docker Compose plugin. We'll install that separately in the next step.

Step 4: Install Docker Compose (Optional but Recommended)

The docker-stable package doesn't include Docker Compose. Install it separately and register it as a CLI plugin to use the modern docker compose command (v2 syntax).

Install docker-compose:

sudo zypper install -y docker-compose

Register as a Docker CLI plugin:

mkdir -p ~/.docker/cli-plugins
ln -sf /usr/bin/docker-compose ~/.docker/cli-plugins/docker-compose

Verify the plugin works:

docker compose version

You should see the Docker Compose version (e.g., Docker Compose version v2.x.x).

Why this matters: The symlink makes docker compose (without hyphen) available as a Docker CLI plugin. This is the modern v2 syntax used throughout this guide and in Docker Compose files.

Step 5: Set Up Rootless Docker

Here's where rootless mode actually gets enabled. From this point on, no sudo is required.

First, disable the system-wide Docker daemon:

sudo systemctl disable --now docker.service docker.socket

Now run the rootless setup script as your regular user:

dockerd-rootless-setuptool.sh install

You should see output ending with:

[INFO] Installed docker.service successfully.
[INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service`
[INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger [username]`

Enable your user's Docker service to start automatically on boot:

systemctl --user enable --now docker

Enable lingering so your user services start at boot even without a login session:

sudo loginctl enable-linger [username]

Replace [username] with your actual username.

Verification

Here's how to confirm everything worked:

Switch to rootless context:

docker context use rootless

Test with a real container (jq demo):

Instead of the usual hello-world, let's verify with something useful. I've got a JSON file — sample.json. Normally you'd need to install jq to parse it. But with Docker, the tool comes with the container:

cat sample.json | docker run --rm -i stedolan/jq '.'

First time, you'll see:

Unable to find image 'stedolan/jq:latest' locally
Downloaded newer image for stedolan/jq:latest

Then the output — beautifully formatted JSON:

{
  "name": "David",
  "company": "Transcend Solutions",
  "role": "DevOps Engineer",
  "skills": ["Docker", "Kubernetes", "Linux"],
  "location": "Singapore",
  "experience_years": 15
}

No installation. No sudo. Same command on any system with Docker.

Confirm rootless mode:

docker info 2>&1 | grep "rootless"

Expected output:

rootless

Check your context:

docker context show

Expected output:

rootless

Verify data directory:

docker info 2>&1 | grep "Docker Root Dir"

Rootless Docker stores everything under your home directory:

Docker Root Dir: /home/youruser/.local/share/docker

(Instead of /var/lib/docker for system Docker)

List running containers:

docker ps

This shows an empty table (no containers running yet):

CONTAINER   IMAGE   COMMAND   CREATED   STATUS   PORTS   NAMES

Verify Docker starts at boot:

systemctl --user status docker

You should see "active (running)" and "enabled".

Rootless Limitations to Know

Running Docker in rootless mode has a few trade-offs:

Limitation Impact Workaround
No ports below 1024 Can't bind to ports 80, 443 directly Use a rootful reverse proxy
Storage in home directory Images/volumes use ~/.local/share/docker Ensure adequate home directory space
No ping from containers ICMP requires root privileges Use curl or wget for connectivity tests

These are minor trade-offs for the significant security benefit of never running the Docker daemon as root.

What's Next

Now that you have a secure rootless Docker environment on SLES, you're ready to:

  • Pull and run your first containers
  • Learn about Docker volumes for persistent data
  • Set up multi-container applications with Docker Compose
Prefer a different distro? I wrote a post about Ubuntu as well last week, you can find it https://fosstechnotes.blogspot.com/2026/03/docker-rootless-on-ubuntu-2026-guide.html.

For more deep dives on Docker, check out "Levelling Up with Docker" — 14 chapters of practical guides covering volumes, networking, Compose, production deployments, and more.

Found this helpful? Share it with someone who's learning Docker!

📚 Want to Go Deeper?

Levelling Up with Docker by David Tio
14 chapters of practical Docker guides

Get on Amazon →

Comments

Post a Comment

Popular posts from this blog

SLES 15 LVM + XFS Without Separate /boot Partition

Image
GRUB2 allow booting from LVM partition, however I haven't see any documentation on how to setup SLES 15 using LVM + XFS root partition without separate /boot partition. You can even put /boot as one of the logical volume. When separate /boot partition is not created, we will need to create small partition with BIOS boot flag and once this BIOS boot partition is created, you can setup the remaining disk as LVM partition and setup your volume group and logical volumes as usual.    During the installation, choose "Expert Partitioner" > "Start with Existing Partitions". Select your disk and "Create New Partition Table" > "GPT" Select "Partitions" tab and choose "Add Partition" Choose "Custom Size" then enter "8 MiB" as the size. The Role of this partition should be "Raw Volume (unformatted)" Select BIOS Boot as Partition ID Create another partition as LVM pa...
Read more

pfSense and scp

pfSense and scp doesn't play nice. When you try to scp to admin@pfsense.hostname you will likely encounter the error " Illegal option -[X] " The solution to this is rather simple too, when running scp to pfSense, just use the root account.  Cheers
Read more

SupportConfig Analysis for SLES 12

Image
SLES comes with tools to analyse supportconfig data called Support Config Analysis (SCA). This tool is not installed by default, but it is quite simple to install and run.  All you need are the next few commands and you are on the way to see how you can tune your SLES. # zypper in sca-server-report sca-patterns-sle12 # scatool -s The report will be generated at /var/log/nts_XXX.html and is viewable via your favourite web browser. It will look something like the following screenshot There are links that you can follow to see the solutions details. Happy Tuning!!!
Read more