Originally published on kuryzhev.cloud

Your Docker containers are running as root on the host right now — and most teams don't realize a single container escape hands an attacker full system access. Rootless Docker security isn't a nice-to-have in 2024; it's the baseline you should have set up the moment you moved past local development. This checklist covers every step from installation through verification, including the three things that almost every team misses on their first production rollout.

Why This Checklist Exists

The default Docker daemon runs as root. That means the Docker socket at /var/run/docker.sock is owned by root, and any process — or container — that can reach it effectively has root on the host. Container escape CVEs like CVE-2019-5736 (runc) and CVE-2024-21626 work precisely because of this ownership model. The attack surface isn't theoretical; it shows up in real penetration tests every week.

Rootless mode flips the model. Docker Engine 20.10.0 (released December 2020) made rootless stable — no more --experimental flag, no more excuses. In rootless mode, the daemon runs as an unprivileged user. UID 0 inside the container maps to your unprivileged host UID via Linux user namespaces. A successful container escape lands you as nobody on the host, not as root. The blast radius shrinks dramatically.