BlogLinux & scripting

Rootless Docker and why containers shouldn't run as root

Run the Docker daemon and your containers as a non-root user so a container escape lands unprivileged, plus the subuid, cgroups, and storage gotchas.

Oct 7, 2025·9 min readIntermediate

By default the Docker daemon runs as root, and so does PID 1 in most containers. An escape from a root container often means root on the host. Rootless mode runs the daemon and your containers as an unprivileged user, so the worst case is a normal user — not the box.

bash — confirm rootlesslive
docker info -f "{{.SecurityOptions}}"
[name=rootless name=seccomp,profile=builtin]
daemon and containers run as your UID, not root

Why it matters

On a container escape
Rootful
PID 1 is root
maps to host root
escape = host root
device access
Rootless
PID 1 is your UID
user namespaces
escape = normal user
no device access

Do not run as root inside either way

Rootless daemon or not, set a non-root user in the image. Defense in depth is cheap here.

Dockerfile
RUN adduser -D -u 10001 app
USER 10001
# and in Kubernetes:
# securityContext: { runAsNonRoot: true, runAsUser: 10001 }
Ports below 1024 need a nudge
A rootless daemon cannot bind privileged ports by default. Publish to a high port and front it with a reverse proxy, or set net.ipv4.ip_unprivileged_port_start.
Go deeper in a courseAdvanced container securityRootless, user namespaces, capabilities, and seccomp.View course

Related posts