Can I self host in rootless docker?

As per title.

Have tried it but get permission errors. Before I continue to spend time on this, I’d like to know, if it is possible at all.


I have looked into this some time ago but never quite put enough time into it to get it working. According to documentation though it should appear to be possible

We recommend configuring your Linux server with a dedicated bitwarden service account, from which to install and run Bitwarden. Doing so will isolate your Bitwarden instance from other applications running on your server.

These steps are Bitwarden-recommended best practices, but are not required. For more information, see Docker’s Post-installation steps for Linux documentation.

Thanks. This is how I ended up setting Bitwarden up for the time being.

However, this guide does not use rootless docker but a normal rootful docker. And while the user account bitwarden is not added to the sudoers group, it is added to the docker group which confers similar powers.

What I am hoping for is info on whether I can get Bitwarden to work in a rootless docker install (where you install docker not as root and without sudo).

You are correct the official guide does not detail this and only shows basic docker install steps.

The note in the Official guide that I quoted references the Docker documentation for implementing docker in rootless mode.

This should resolve your concern,

Manage Docker as a non-root user

The Docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The Docker daemon always runs as the root user.

If you don’t want to preface the docker command with sudo, create a Unix group called docker and add users to it. When the Docker daemon starts, it creates a Unix socket accessible by members of the docker group.


The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.


To run Docker without root privileges, see Run the Docker daemon as a non-root user (Rootless mode).

For more see

Rootless mode allows running the Docker daemon and containers as a non-root user to mitigate potential vulnerabilities in the daemon and the container runtime.

Rootless mode does not require root privileges even during the installation of the Docker daemon, as long as the prerequisites are met.

Rootless mode was introduced in Docker Engine v19.03 as an experimental feature. Rootless mode graduated from experimental in Docker Engine v20.10.

How it works

Rootless mode executes the Docker daemon and containers inside a user namespace. This is very similar to userns-remap mode, except that with userns-remap mode, the daemon itself is running with root privileges, whereas in rootless mode, both the daemon and the container are running without root privileges.

Rootless mode does not use binaries with SETUID bits or file capabilities, except newuidmap and newgidmap, which are needed to allow multiple UIDs/GIDs to be used in the user namespace.

You should install and set up docker in rootless mode prior to your Bitwarden install rather than installing docker with root. Once that is confirmed working Bitwarden should be able to install, the one thing I may see as an issue would be that rootless docker (any non-root user) cannot bind to privileged ports <1024, as Bitwarden uses ports 80 and 443 for Lets Encrypt and nginx. These would need to be exposed or a manual docker install done with your own valid SSL certificate and reverse proxy.

But I am afraid that managing docker as a non-root user (that has to be a member of the docker group) is not the same as running a rootless docker. As I said and as the guide you quote above explains:

So installing rootful docker and managing it from a non-root user that is a member of the docker group does not mitigate the risk in my view.

The only way is to install rootless docker which I have done many times for other self hosted apps - so getting this working is not the issue. But in a rootless docker I am not able to get Bitwarden working due to privilege issues (as per my original post).

Today I got the confirmation of this from one of the developers on GitHub :frowning:

But thank you for taking the time to help me!

Sorry if I wasn’t clear, you are correct the post-install steps linked in the official Bitwarden install guide and the Docker documentation are for adding a service user to the docker group in rootful mode.

The secondary article was for installing docker in rootless mode but it sounds as though this is something you are already familiar with.

I’d be curious to know what the errors were for the permission issues, but glad to know you got an official response from the team that it is not yet supported.

As mentioned I’ve looked into it and explored it a bit but had not had the chance to fully evaluate if it is possible.
Hopefully something that can be made available, glad to help where I can.
-Cheers :slight_smile: