How to Run Kali Linux in Docker

Running Kali Linux in Docker

Tested on: Docker 27.x, kalilinux/kali-rolling — Last updated: July 2026

Kali's official Docker image is intentionally minimal — a bare Kali base with almost no tools preinstalled. That's the point: containers are meant to be disposable and purpose-built, not a full VM replacement. This is the fastest way to get a throwaway Kali shell for a quick tool run, but it's not a substitute for a full VM install when you need networking features like monitor mode or persistent state across sessions. For that, see Kali Linux: Install and First Steps.

Contents
  1. When Docker Makes Sense (and When It Doesn't)
  2. Prerequisites
  3. Step 1 — Pull the Official Image
  4. Step 2 — Run an Interactive Container
  5. Step 3 — Install the Tools You Need
  6. Step 4 — Persist Data With Volumes
  7. Step 5 — Build a Reusable Image
  8. Step 6 — Run GUI Tools With X11 Forwarding (Optional)
  9. Security Notes for Running Kali in a Container
  10. Running Kali in Docker on a Remote VPS
  11. Troubleshooting
    1. Network tools report permission errors inside the container
    2. GUI applications fail with "cannot open display"
    3. Installed tools disappear after restarting the container
    4. DNS resolution fails inside the container
    5. Container image is much larger than expected after installing tools
    6. Further Reading

When Docker Makes Sense (and When It Doesn't)

Use caseDockerVM
Quick single-tool run (sqlmap, nmap)Good fitOverkill
CI/CD pipeline security scanningGood fitNot practical
Wireless attacks (monitor mode)Won't work — no direct hardware accessRequired
Persistent lab environmentPossible with volumes, but awkwardNatural fit
GUI tools (Burp Suite, Wireshark)Possible via X11 forwarding, adds setupWorks out of the box

Prerequisites

  • Docker installed and running (docker --version to confirm)
  • At least 4 GB RAM available to the Docker daemon if you plan to install larger tool sets inside the container

Step 1 — Pull the Official Image

docker pull kalilinux/kali-rolling

This is Offensive Security's official rolling-release base image, updated alongside the main Kali repos.

Step 2 — Run an Interactive Container

docker run -it --rm kalilinux/kali-rolling /bin/bash

--rm deletes the container when you exit — nothing installed inside persists. Drop that flag if you want the container to stick around between sessions instead.

Step 3 — Install the Tools You Need

The base image ships with almost nothing. Install what the task requires:

apt update
apt install -y nmap sqlmap metasploit-framework

# Or pull in a full metapackage the same way you would on a VM install
apt install -y kali-tools-web

Step 4 — Persist Data With Volumes

Mount a host directory so scan results and generated files survive after the container exits:

mkdir -p ~/kali-workspace

docker run -it --rm \
  -v ~/kali-workspace:/root/workspace \
  kalilinux/kali-rolling /bin/bash

Anything written to /root/workspace inside the container lands in ~/kali-workspace on the host, outside the container's lifecycle.

Step 5 — Build a Reusable Image

For a container you'll spin up repeatedly with the same toolset preinstalled, write a Dockerfile instead of reinstalling packages every run:

cat > Dockerfile <<'EOF'
FROM kalilinux/kali-rolling
RUN apt update && apt install -y \
    nmap sqlmap nikto hydra john hashcat \
    metasploit-framework kali-tools-web
WORKDIR /root/workspace
CMD ["/bin/bash"]
EOF

docker build -t my-kali-toolbox .
docker run -it --rm -v ~/kali-workspace:/root/workspace my-kali-toolbox

Step 6 — Run GUI Tools With X11 Forwarding (Optional)

Tools like Burp Suite or Wireshark need a display. On Linux hosts, forward X11 into the container:

xhost +local:docker

docker run -it --rm \
  -e DISPLAY=$DISPLAY \
  -v /tmp/.X11-unix:/tmp/.X11-unix \
  kalilinux/kali-rolling /bin/bash

# Inside the container
apt install -y burpsuite
burpsuite &

This only works cleanly on Linux hosts. On macOS or Windows you'd need XQuartz or an X server plus additional network configuration — at that point a VM is usually less work.

Security Notes for Running Kali in a Container

Docker containers share the host kernel — they isolate processes and filesystems, not the kernel itself. That matters here because a container loaded with exploitation tooling has a different threat model than a container running a web app:

  • Don't run the container with --privileged unless you specifically need it (some wireless or raw-socket operations do) — it removes most of the isolation Docker provides.
  • Avoid exposing container ports to the network unless the tool you're running needs to be reachable. A listening Metasploit handler inside an unnecessarily exposed container is a real attack surface, not just a lab convenience.
  • Treat the container image itself as disposable and rebuild from the Dockerfile rather than patching a running container long-term — this keeps your toolset auditable and reproducible instead of drifting.

Running Kali in Docker on a Remote VPS

A common pattern for engagements is running Kali in Docker on a cloud VPS instead of locally — gives you a stable public IP for callback listeners, and the box stays up when your laptop doesn't. Any Debian/Ubuntu VPS with Docker installed works; see our Hetzner VPS setup guide for a walkthrough of provisioning the server itself, then follow the steps above once Docker is running on it. Lock down SSH access and firewall rules before pulling the Kali image — a fresh VPS running Metasploit listeners is not something you want reachable from the open internet.

Troubleshooting

Network tools report permission errors inside the container

Some network operations (raw sockets, packet capture) need extra capabilities Docker doesn't grant by default:

docker run -it --rm --cap-add=NET_ADMIN --cap-add=NET_RAW kalilinux/kali-rolling /bin/bash

GUI applications fail with "cannot open display"

xhost +local:docker

Installed tools disappear after restarting the container

You ran without --rm but started a fresh container instead of restarting the old one. List containers and restart the specific one instead of running a new instance:

docker ps -a
docker start -ai <container_id>

DNS resolution fails inside the container

Some hosts (especially corporate or VPN-connected networks) don't pass DNS through to Docker's default bridge network correctly:

docker run -it --rm --dns=1.1.1.1 kalilinux/kali-rolling /bin/bash

Container image is much larger than expected after installing tools

Layers accumulate with every RUN instruction in a Dockerfile. Combine install commands into a single RUN line and clean the apt cache in the same layer to keep image size down:

RUN apt update && apt install -y nmap sqlmap && \
    apt clean && rm -rf /var/lib/apt/lists/*

Go up