Rootless Docker Setup

AtmosphericIgnition · March 10, 2026, 3:24pm

Hi,

is there a way to run to run the Ghost server, database, activity pub, and analytics containers as rootless? I’m a little concerned about having this much code running as root, since an exploit to any of these components could result in a complete compromise of my system. I’m especially concerned since the Docker versions of Ghost have repeatedly been left without updates for security vulnerabilities.

I’m willing to set everything from scratch, if it means I can run Ghost and its associated services rootless. Is running Ghost in rootless containers supported?

URL: https://quinndunlap.com (behind HTTP auth while under construction)
Version: v6.21.2

Only modification to the default deployment is that Docker deployment is that I commented out lines associated with Caddy, since I already had a different reverse proxy set up.
Base OS is Arch Linux, using Docker version 29.3.0, build 5927d80c76, Docker Compose version 5.1.0.

Thank you, I appreciate any help.

muratcorlu · March 10, 2026, 7:09pm

Ghost team is working on an official docker image which will run rootless. I think they will announce it when they think it’s ready. Here is the current version: Ghost/Dockerfile.production at main · TryGhost/Ghost · GitHub

AtmosphericIgnition · March 10, 2026, 8:54pm

Thank you, is there anywhere I can subscribe to (like a GitHub issue) to track the progress on this?

markstos · March 12, 2026, 12:00am

@ngeorger has created an alternate Docker image that runs as a “nonroot” user that I’m using.

Work is in progress to automate building new packages when Ghost makes a new release, like Docker Hub does.

Regarding the database, you can run any compatible MySQL container you like.

The analytics and ActivityPub containers I haven’t looked at.

For the analytics container, I don’t see a USER directive, but you could try using a –user flag to force a non-root user:

github.com/TryGhost/TrafficAnalytics

Dockerfile

main

ARG NODE_VERSION=22

FROM node:${NODE_VERSION}-alpine AS base

# Install curl for healthcheck
RUN apk add --no-cache curl

WORKDIR /app

COPY package.json yarn.lock ./

RUN yarn install --ignore-scripts --frozen-lockfile

COPY . .

RUN yarn build

CMD ["node", "--enable-source-maps", "dist/server.js"]

# ----------------------------------------------------

This file has been truncated. show original

I don’t see a USER directive in the ActivityPub Dockerfile either:

github.com/TryGhost/ActivityPub

Dockerfile

main

FROM node:22.22.0-alpine@sha256:e4bf2a82ad0a4037d28035ae71529873c069b13eb0455466ae0bc13363826e34

RUN apk add python3 g++ make
RUN apk add --no-cache ca-certificates

WORKDIR /opt/activitypub

COPY package.json .
COPY yarn.lock .

RUN yarn --ignore-scripts && \
    yarn cache clean

COPY tsconfig.json .

COPY src ./src
COPY vitest.config.ts vitest.config.ts

ENV NODE_ENV=production
RUN yarn build

This file has been truncated. show original

You could also try running that with the –user flag. As those both appear to Node.js web servers, I see no reason why they couldn’t run rootless.

ngeorger · March 12, 2026, 1:55am

For the original question: As a complement of @markstos detailed answer, I also suggest running Docker itself in rootless mode. More info in Docker Docs or consider Podman instead of Docker, if you are willing to spend a little more time configuring/maintaining at the benefit of “native” or “out of the box” hardened features.

Thanks @markstos for your support with Ghost on Kubernetes

AtmosphericIgnition · March 12, 2026, 3:03am

Thank you for all the suggestions. I will wait for the officially supported Docker Compose version to get a rootless version. I will take a look at Podman, but it seems that some of the other software I run doesn’t have official Podman support.

markstos · March 13, 2026, 12:45pm

I’m a fan of Podman– it’s what I use myself to run Ghost. But systemd doesn’t support running Podman rootless if you try to run Podman as a rootful systemd service with a User= directive. There’s an extremely long thread about problems and workarounds that people have for that:

You can run Podman as a systemd user service, which has it’s on challenges for management.

But running the container with a –user= directive or with a container that runs as non-root user internally, as Ghost-on-Kubernetes container does (and the official Ghost container reportedly will do) achieves a similar result– that the Ghost process is not running as root.

ngeorger · March 13, 2026, 1:22pm

I agree and I felt a bit dumb when you shared your approach with systemd units because I never thought about that method before, and it’s pretty clever.
Oftebly we forget that at the vase, containers are chroots on steroids hahaha

Topic		Replies	Views
External Caddy Reverse Proxy and "cannot stop container" error for ghost-db-1 Self-hosting	15	202	November 14, 2025
2 Questions about Docker Using Ghost	1	621	October 23, 2019
Request: Help to setup a dockerized Ghost environment Developer help	1	137	November 22, 2024
Official Docker based ghost from Ghost team itself Ideas 🚧-rejected	3	1301	July 8, 2018
Ghost install is not working in ubuntu container Installation	2	542	May 11, 2022

Rootless Docker Setup

Related topics