{{< /tab >}}
{{< /tabs >}}
See [Troubleshooting](#troubleshooting) if you faced an error.
## Uninstall
To remove the systemd service of the Docker daemon, run `dockerd-rootless-setuptool.sh uninstall`:
```console
$ dockerd-rootless-setuptool.sh uninstall
+ systemctl --user stop docker.service
+ systemctl --user disable docker.service
Removed /home/testuser/.config/systemd/user/default.target.wants/docker.service.
[INFO] Uninstalled docker.service
[INFO] This uninstallation tool does NOT remove Docker binaries and data.
[INFO] To remove data, run: `/usr/bin/rootlesskit rm -rf /home/testuser/.local/share/docker`
```
Unset environment variables PATH and DOCKER_HOST if you have added them to `~/.bashrc`.
To remove the data directory, run `rootlesskit rm -rf ~/.local/share/docker`.
To remove the binaries, remove `docker-ce-rootless-extras` package if you installed Docker with package managers.
If you installed Docker with https://get.docker.com/rootless ([Install without packages](#install)),
remove the binary files under `~/bin`:
```console
$ cd ~/bin
$ rm -f containerd containerd-shim containerd-shim-runc-v2 ctr docker docker-init docker-proxy dockerd dockerd-rootless-setuptool.sh dockerd-rootless.sh rootlesskit rootlesskit-docker-proxy runc vpnkit
```
## Usage
### Daemon
{{< tabs >}}
{{< tab name="With systemd (Highly recommended)" >}}
The systemd unit file is installed as `~/.config/systemd/user/docker.service`.
Use `systemctl --user` to manage the lifecycle of the daemon:
```console
$ systemctl --user start docker
```
To launch the daemon on system startup, enable the systemd service and lingering:
```console
$ systemctl --user enable docker
$ sudo loginctl enable-linger $(whoami)
```
Starting Rootless Docker as a systemd-wide service (`/etc/systemd/system/docker.service`)
is not supported, even with the `User=` directive.
{{< /tab >}}
{{< tab name="Without systemd" >}}
To run the daemon directly without systemd, you need to run `dockerd-rootless.sh` instead of `dockerd`.
The following environment variables must be set:
- `$HOME`: the home directory
- `$XDG_RUNTIME_DIR`: an ephemeral directory that is only accessible by the expected user, e,g, `~/.docker/run`.
The directory should be removed on every host shutdown.
The directory can be on tmpfs, however, should not be under `/tmp`.
Locating this directory under `/tmp` might be vulnerable to TOCTOU attack.
{{< /tab >}}
{{< /tabs >}}
Remarks about directory paths:
- The socket path is set to `$XDG_RUNTIME_DIR/docker.sock` by default.
`$XDG_RUNTIME_DIR` is typically set to `/run/user/$UID`.
- The data dir is set to `~/.local/share/docker` by default.
The data dir should not be on NFS.
- The daemon config dir is set to `~/.config/docker` by default.
This directory is different from `~/.docker` that is used by the client.
### Client
You need to specify either the socket path or the CLI context explicitly.
To specify the socket path using `$DOCKER_HOST`:
```console
$ export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock
$ docker run -d -p 8080:80 nginx
```
To specify the CLI context using `docker context`:
```console
$ docker context use rootless
rootless
Current context is now "rootless"
$ docker run -d -p 8080:80 nginx
```
## Best practices
### Rootless Docker in Docker
To run Rootless Docker inside "rootful" Docker, use the `docker:<version>-dind-rootless`
image instead of `docker:<version>-dind`.
```console
$ docker run -d --name dind-rootless --privileged docker:25.0-dind-rootless
```
The `docker:<version>-dind-rootless` image runs as a non-root user (UID 1000).
However, `--privileged` is required for disabling seccomp, AppArmor, and mount
masks.
### Expose Docker API socket through TCP
To expose the Docker API socket through TCP, you need to launch `dockerd-rootless.sh`
with `DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS="-p 0.0.0.0:2376:2376/tcp"`.
```console
$ DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS="-p 0.0.0.0:2376:2376/tcp" \
dockerd-rootless.sh \