DEV Community

David Tio
David Tio

Posted on • Originally published at fosstechnotes.blogspot.com

How to Install Docker Rootless on SLES 15/16 (2026 Guide)

#docker #linux #security #tutorial

Docker Rootless Installation on SLES

Quick one-liner: Install Docker in rootless mode on SLES 15/16 using openSUSE repositories — no root privileges required for daily container operations.

Why This Matters

When I first started with Docker, I ran everything as root. It was easy, it worked, and I didn't think twice about it. Then I learned that a container escape vulnerability could give an attacker full root access to my entire system. That's when I switched to rootless Docker — and you should too.

Rootless Docker runs the Docker daemon entirely under your regular user account. No sudo required. No root privileges for container operations. If a container gets compromised, the attacker is stuck with your user's permissions — not root.

Why SLES? This guide was written based on community votes. Docker CE doesn't publish official packages for SLES. Instead, we use the openSUSE Virtualization:containers and security:netfilter repositories, which provide packages that work perfectly on SLES.

Prerequisites

  • Operating System: SUSE Linux Enterprise Server (SLES) 15 or 16
  • Disk Space: At least 20 GB free in your home directory (check with df -h ~)
  • Time: 15-20 minutes
  • Access: Sudo privileges for initial installation only
  • Repositories: Access to openSUSE repositories (default on most SLES installations)

Step 1: Remove Old Docker Packages

Before installing Docker from the openSUSE repositories, remove any conflicting packages from your distribution's default repos:

sudo zypper remove docker docker-client docker-client-latest \
    docker-common docker-latest docker-latest-logrotate \
    docker-logrotate docker-engine podman runc

This ensures a clean starting point and prevents package conflicts.

Step 2: Add openSUSE Repositories

Docker CE doesn't publish official packages for SLES. Instead, we use the openSUSE repositories which maintain up-to-date Docker packages for SLES.

Add the Virtualization:containers repository:

For SLES 16:

sudo zypper addrepo \
    https://download.opensuse.org/repositories/\
Virtualization:/containers/16.0/\
Virtualization:containers.repo

For SLES 15.x (use this instead):

sudo zypper addrepo \
    https://download.opensuse.org/repositories/\
Virtualization:/containers/15.7/\
Virtualization:containers.repo

Add the security:netfilter repository (required for rootless extras):

For SLES 16:

sudo zypper addrepo \
    https://download.opensuse.org/repositories/\
security:netfilter/16.0/\
security:netfilter.repo

For SLES 15.x (use this instead):

sudo zypper addrepo \
    https://download.opensuse.org/repositories/\
security:netfilter/15.7/\
security:netfilter.repo

Refresh the repositories:

sudo zypper refresh

Browse available versions: If you're using a different SLES version, browse the available releases at:
• https://download.opensuse.org/repositories/Virtualization:/containers/
• https://download.opensuse.org/repositories/security:netfilter/

Step 3: Install Docker Rootless

Install the docker-stable-rootless-extras package. This pulls in docker-stable and all other required dependencies automatically:

sudo zypper install -y docker-stable-rootless-extras

What gets installed:

  • docker-stable — The Docker daemon and CLI
  • docker-stable-rootless-extras — Rootless mode support files
  • All required dependencies (containerd, runc, etc.)

Note: Unlike Docker CE packages, the openSUSE docker-stable package does not include the Docker Compose plugin. We'll install that separately in the next step.

Step 4: Install Docker Compose (Optional but Recommended)

The docker-stable package doesn't include Docker Compose. Install it separately and register it as a CLI plugin to use the modern docker compose command (v2 syntax).

Install docker-compose:

sudo zypper install -y docker-compose

Register as a Docker CLI plugin:

mkdir -p ~/.docker/cli-plugins
ln -sf /usr/bin/docker-compose ~/.docker/cli-plugins/docker-compose

Verify the plugin works:

docker compose version

You should see the Docker Compose version (e.g., Docker Compose version v2.x.x).

Why this matters: The symlink makes docker compose (without hyphen) available as a Docker CLI plugin. This is the modern v2 syntax used throughout this guide and in Docker Compose files.

Step 5: Set Up Rootless Docker

Here's where rootless mode actually gets enabled. From this point on, no sudo is required.

First, disable the system-wide Docker daemon:

sudo systemctl disable --now docker.service docker.socket

Now run the rootless setup script as your regular user:

dockerd-rootless-setuptool.sh install

You should see output ending with:

[INFO] Installed docker.service successfully.
[INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service`
[INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger [username]`

Enable your user's Docker service to start automatically on boot:

systemctl --user enable --now docker

Enable lingering so your user services start at boot even without a login session:

sudo loginctl enable-linger [username]

Replace [username] with your actual username.

Verification

Here's how to confirm everything worked:

Switch to rootless context:

docker context use rootless

Test with a real container (jq demo):

Instead of the usual hello-world, let's verify with something useful. I've got a JSON file — sample.json. Normally you'd need to install jq to parse it. But with Docker, the tool comes with the container:

cat sample.json | docker run --rm -i stedolan/jq '.'

First time, you'll see:

Unable to find image 'stedolan/jq:latest' locally
Downloaded newer image for stedolan/jq:latest

Then the output — beautifully formatted JSON:

{
  "name": "David",
  "company": "Transcend Solutions",
  "role": "DevOps Engineer",
  "skills": ["Docker", "Kubernetes", "Linux"],
  "location": "Singapore",
  "experience_years": 15
}

No installation. No sudo. Same command on any system with Docker.

Confirm rootless mode:

docker info 2>&1 | grep "rootless"

Expected output: rootless

Check your context:

docker context show

Expected output: rootless

Verify data directory:

docker info 2>&1 | grep "Docker Root Dir"

Rootless Docker stores everything under your home directory:

Docker Root Dir: /home/youruser/.local/share/docker

(Instead of /var/lib/docker for system Docker)

List running containers:

docker ps

This shows an empty table (no containers running yet):

CONTAINER   IMAGE   COMMAND   CREATED   STATUS   PORTS   NAMES

Verify Docker starts at boot:

systemctl --user status docker

You should see "active (running)" and "enabled".

Rootless Limitations to Know

Running Docker in rootless mode has a few trade-offs:

Limitation Impact Workaround
No ports below 1024 Can't bind to ports 80, 443 directly Use a rootful reverse proxy
Storage in home directory Images/volumes use ~/.local/share/docker Ensure adequate home directory space
No ping from containers ICMP requires root privileges Use curl or wget for connectivity tests

These are minor trade-offs for the significant security benefit of never running the Docker daemon as root.

What's Next

Now that you have a secure rootless Docker environment on SLES, you're ready to:

  • Pull and run your first containers
  • Learn about Docker volumes for persistent data
  • Set up multi-container applications with Docker Compose

Prefer a different distro? I also wrote about Ubuntu version last week.

For more deep dives on Docker, check out "Levelling Up with Docker" — 14 chapters of practical guides covering volumes, networking, Compose, production deployments, and more.

Found this helpful? Share it with someone who's learning Docker!

Top comments (0)

Some comments may only be visible to logged-in visitors. Sign in to view all comments.