Description
I've been trying to run rootless Docker using the rootlesskit host network driver to avoid the overhead of the other drivers, but I couldn't find a way to make it work.
The first issue I encountered is that when setting only the env var DOCKERD_ROOTLESS_ROOTLESSKIT_NET=host, the dockerd-rootless script still passes the port driver argument to rootlesskit which in turn fails to start (error: port driver requires non-host network), but I could easily work around that by setting the env var DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER to none.
The second issue - which I wasn't able to overcome - is that when both the env vars above are correctly set, the rootless Docker daemon fails to start with the following error:
INFO[2025-10-31T12:28:24.789333322+01:00] stopping event stream following graceful shutdown error="<nil>" module=libcontainerd namespace=moby
INFO[2025-10-31T12:28:24.789644275+01:00] stopping healthcheck following graceful shutdown module=libcontainerd
INFO[2025-10-31T12:28:24.789699959+01:00] stopping event stream following graceful shutdown error="context canceled" module=libcontainerd namespace=plugins.moby
failed to start daemon: Error initializing network controller: error obtaining controller instance: failed to register "bridge" driver: failed to create NAT chain DOCKER: iptables failed: iptables --wait -t nat -N DOCKER: iptables v1.8.11 (nf_tables): Could not fetch rule set generation id: Permission denied (you must be root)
(exit status 4)
[rootlesskit:child ] error: command [/usr/bin/dockerd-rootless] exited: exit status 1
[rootlesskit:parent] error: child exited: exit status 1
Note that I don't get any errors when running Docker as root or when running it rootless with the default network/port driver.
Reproduce
In a non-root user session:
$ export DOCKER_HOST=unix:///run/user/1000/docker.sock
$ export DOCKERD_ROOTLESS_ROOTLESSKIT_NET=host
$ export DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=none
$ dockerd-rootless
Expected behavior
The Docker daemon should start in rootless mode without any issues when using the rootlesskit host network driver.
docker version
Client:
Version: 28.3.3
API version: 1.51
Go version: go1.24.8
Git commit: 980b85681696fbd95927fd8ded8f6d91bdca95b0
Built: Sun Oct 12 08:01:14 2025
OS/Arch: linux/amd64
Context: default
Server:
Engine:
Version: 28.3.3
API version: 1.51 (minimum version 1.24)
Go version: go1.24.8
Git commit: bea959c7b793b32a893820b97c4eadc7c87fabb0
Built: Sun Oct 12 08:01:14 2025
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v2.1.3
GitCommit: c787fb98911740dd3ff2d0e45ce88cdf01410486
runc:
Version: 1.3.0
GitCommit: 4ca628d1d4c974f92d24daccb901aa078aad748e
docker-init:
Version: 0.19.0
GitCommit:
rootlesskit:
Version: 2.3.5
ApiVersion: 1.1.1
NetworkDriver: slirp4netns
PortDriver: builtin
StateDir: /run/user/1000/dockerd-rootless
slirp4netns:
Version: 1.3.1
GitCommit: e5e368c4f5db6ae75c2fce786e31eef9da6bf236
docker info
Client:
Version: 28.3.3
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.24.0
Path: /usr/libexec/docker/cli-plugins/docker-buildx
Server:
Containers: 2
Running: 0
Paused: 0
Stopped: 2
Images: 1
Server Version: 28.3.3
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: true
Logging Driver: json-file
Cgroup Driver: none
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
CDI spec directories:
/etc/cdi
/var/run/cdi
Swarm: inactive
Runtimes: runc io.containerd.runc.v2
Default Runtime: runc
Init Binary: docker-init
containerd version: c787fb98911740dd3ff2d0e45ce88cdf01410486
runc version: 4ca628d1d4c974f92d24daccb901aa078aad748e
init version:
Security Options:
seccomp
Profile: builtin
rootless
cgroupns
Kernel Version: 6.12.53-0-virt
Operating System: Alpine Linux v3.22
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 7.765GiB
Name: cloud
ID: a15971cf-9c64-4860-9e61-4b35f9365595
Docker Root Dir: /home/cloud/.local/share/docker
Debug Mode: false
Experimental: false
Insecure Registries:
::1/128
127.0.0.0/8
Live Restore Enabled: false
WARNING: Running in rootless-mode without cgroups. Systemd is required to enable cgroups in rootless-mode.Additional Info
I'm running Alpine Linux 3.22 and Docker rootless was configured following the docs in the Alpine wiki.
docker info and docker version output was obtained by running rootless Docker with the default rootlesskit network/port driver.
Description
I've been trying to run rootless Docker using the rootlesskit
hostnetwork driver to avoid the overhead of the other drivers, but I couldn't find a way to make it work.The first issue I encountered is that when setting only the env var
DOCKERD_ROOTLESS_ROOTLESSKIT_NET=host, the dockerd-rootless script still passes the port driver argument to rootlesskit which in turn fails to start (error: port driver requires non-host network), but I could easily work around that by setting the env varDOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVERtonone.The second issue - which I wasn't able to overcome - is that when both the env vars above are correctly set, the rootless Docker daemon fails to start with the following error:
Note that I don't get any errors when running Docker as root or when running it rootless with the default network/port driver.
Reproduce
In a non-root user session:
Expected behavior
The Docker daemon should start in rootless mode without any issues when using the rootlesskit
hostnetwork driver.docker version
docker info
Additional Info
I'm running Alpine Linux 3.22 and Docker rootless was configured following the docs in the Alpine wiki.
docker infoanddocker versionoutput was obtained by running rootless Docker with the default rootlesskit network/port driver.