---
description: Run the Docker daemon as a non-root user (Rootless mode)
keywords: security, namespaces, rootless
title: Rootless mode
weight: 10
---
Rootless mode allows running the Docker daemon and containers as a non-root
user to mitigate potential vulnerabilities in the daemon and
the container runtime.
Rootless mode does not require root privileges even during the installation of
the Docker daemon, as long as the [prerequisites](#prerequisites) are met.
## How it works
Rootless mode executes the Docker daemon and containers inside a user namespace.
This is very similar to [`userns-remap` mode](userns-remap.md), except that
with `userns-remap` mode, the daemon itself is running with root privileges,
whereas in rootless mode, both the daemon and the container are running without
root privileges.
Rootless mode does not use binaries with `SETUID` bits or file capabilities,
except `newuidmap` and `newgidmap`, which are needed to allow multiple
UIDs/GIDs to be used in the user namespace.
## Prerequisites
- You must install `newuidmap` and `newgidmap` on the host. These commands
are provided by the `uidmap` package on most distributions.
- `/etc/subuid` and `/etc/subgid` should contain at least 65,536 subordinate
UIDs/GIDs for the user. In the following example, the user `testuser` has
65,536 subordinate UIDs/GIDs (231072-296607).
```console
$ id -u
1001
$ whoami
testuser
$ grep ^$(whoami): /etc/subuid
testuser:231072:65536
$ grep ^$(whoami): /etc/subgid
testuser:231072:65536
```
### Distribution-specific hint
> [!TIP]
>
> We recommend that you use the Ubuntu kernel.
{{< tabs >}}
{{< tab name="Ubuntu" >}}
- Install `dbus-user-session` package if not installed. Run `sudo apt-get install -y dbus-user-session` and relogin.
- Install `uidmap` package if not installed. Run `sudo apt-get install -y uidmap`.
- If running in a terminal where the user was not directly logged into, you will need to install `systemd-container` with `sudo apt-get install -y systemd-container`, then switch to TheUser with the command `sudo machinectl shell TheUser@`.
- `overlay2` storage driver is enabled by default
([Ubuntu-specific kernel patch](https://kernel.ubuntu.com/git/ubuntu/ubuntu-bionic.git/commit/fs/overlayfs?id=3b7da90f28fe1ed4b79ef2d994c81efbc58f1144)).
- Ubuntu 24.04 and later enables restricted unprivileged user namespaces by
default, which prevents unprivileged processes in creating user namespaces
unless an AppArmor profile is configured to allow programs to use
unprivileged user namespaces.
If you install `docker-ce-rootless-extras` using the deb package (`apt-get
install docker-ce-rootless-extras`), then the AppArmor profile for
`rootlesskit` is already bundled with the `apparmor` deb package. With this
installation method, you don't need to add any manual the AppArmor
configuration. If you install the rootless extras using the [installation
script](https://get.docker.com/rootless), however, you must add an AppArmor
profile for `rootlesskit` manually:
1. Create and install the currently logged-in user's AppArmor profile:
```console
$ filename=$(echo $HOME/bin/rootlesskit | sed -e s@^/@@ -e s@/@.@g)
$ cat <<EOF > ~/${filename}
abi <abi/4.0>,
include <tunables/global>
"$HOME/bin/rootlesskit" flags=(unconfined) {
userns,
include if exists <local/${filename}>
}
EOF
$ sudo mv ~/${filename} /etc/apparmor.d/${filename}
```
2. Restart AppArmor.
```console
$ systemctl restart apparmor.service
```
{{< /tab >}}
{{< tab name="Debian GNU/Linux" >}}
- Install `dbus-user-session` package if not installed. Run `sudo apt-get install -y dbus-user-session` and relogin.
- For Debian 11, installing `fuse-overlayfs` is recommended. Run `sudo apt-get install -y fuse-overlayfs`.
This step is not required on Debian 12.
- Rootless docker requires version of `slirp4netns` greater than `v0.4.0` (when `vpnkit` is not installed).