How to Run Kali Linux in Docker

Tested on: Docker 27.x, kalilinux/kali-rolling — Last updated: July 2026
Kali's official Docker image is intentionally minimal — a bare Kali base with almost no tools preinstalled. That's the point: containers are meant to be disposable and purpose-built, not a full VM replacement. This is the fastest way to get a throwaway Kali shell for a quick tool run, but it's not a substitute for a full VM install when you need networking features like monitor mode or persistent state across sessions. For that, see Kali Linux: Install and First Steps.
- When Docker Makes Sense (and When It Doesn't)
- Prerequisites
- Step 1 — Pull the Official Image
- Step 2 — Run an Interactive Container
- Step 3 — Install the Tools You Need
- Step 4 — Persist Data With Volumes
- Step 5 — Build a Reusable Image
- Step 6 — Run GUI Tools With X11 Forwarding (Optional)
- Security Notes for Running Kali in a Container
- Running Kali in Docker on a Remote VPS
- Troubleshooting
When Docker Makes Sense (and When It Doesn't)
| Use case | Docker | VM |
|---|---|---|
| Quick single-tool run (sqlmap, nmap) | Good fit | Overkill |
| CI/CD pipeline security scanning | Good fit | Not practical |
| Wireless attacks (monitor mode) | Won't work — no direct hardware access | Required |
| Persistent lab environment | Possible with volumes, but awkward | Natural fit |
| GUI tools (Burp Suite, Wireshark) | Possible via X11 forwarding, adds setup | Works out of the box |
Prerequisites
- Docker installed and running (
docker --versionto confirm) - At least 4 GB RAM available to the Docker daemon if you plan to install larger tool sets inside the container
Step 1 — Pull the Official Image
docker pull kalilinux/kali-rollingThis is Offensive Security's official rolling-release base image, updated alongside the main Kali repos.
Step 2 — Run an Interactive Container
docker run -it --rm kalilinux/kali-rolling /bin/bash--rm deletes the container when you exit — nothing installed inside persists. Drop that flag if you want the container to stick around between sessions instead.
Step 3 — Install the Tools You Need
The base image ships with almost nothing. Install what the task requires:
apt update
apt install -y nmap sqlmap metasploit-framework
# Or pull in a full metapackage the same way you would on a VM install
apt install -y kali-tools-webStep 4 — Persist Data With Volumes
Mount a host directory so scan results and generated files survive after the container exits:
mkdir -p ~/kali-workspace
docker run -it --rm \
-v ~/kali-workspace:/root/workspace \
kalilinux/kali-rolling /bin/bashAnything written to /root/workspace inside the container lands in ~/kali-workspace on the host, outside the container's lifecycle.
Step 5 — Build a Reusable Image
For a container you'll spin up repeatedly with the same toolset preinstalled, write a Dockerfile instead of reinstalling packages every run:
cat > Dockerfile <<'EOF'
FROM kalilinux/kali-rolling
RUN apt update && apt install -y \
nmap sqlmap nikto hydra john hashcat \
metasploit-framework kali-tools-web
WORKDIR /root/workspace
CMD ["/bin/bash"]
EOF
docker build -t my-kali-toolbox .
docker run -it --rm -v ~/kali-workspace:/root/workspace my-kali-toolboxStep 6 — Run GUI Tools With X11 Forwarding (Optional)
Tools like Burp Suite or Wireshark need a display. On Linux hosts, forward X11 into the container:
xhost +local:docker
docker run -it --rm \
-e DISPLAY=$DISPLAY \
-v /tmp/.X11-unix:/tmp/.X11-unix \
kalilinux/kali-rolling /bin/bash
# Inside the container
apt install -y burpsuite
burpsuite &This only works cleanly on Linux hosts. On macOS or Windows you'd need XQuartz or an X server plus additional network configuration — at that point a VM is usually less work.
Security Notes for Running Kali in a Container
Docker containers share the host kernel — they isolate processes and filesystems, not the kernel itself. That matters here because a container loaded with exploitation tooling has a different threat model than a container running a web app:
- Don't run the container with
--privilegedunless you specifically need it (some wireless or raw-socket operations do) — it removes most of the isolation Docker provides. - Avoid exposing container ports to the network unless the tool you're running needs to be reachable. A listening Metasploit handler inside an unnecessarily exposed container is a real attack surface, not just a lab convenience.
- Treat the container image itself as disposable and rebuild from the Dockerfile rather than patching a running container long-term — this keeps your toolset auditable and reproducible instead of drifting.
Running Kali in Docker on a Remote VPS
A common pattern for engagements is running Kali in Docker on a cloud VPS instead of locally — gives you a stable public IP for callback listeners, and the box stays up when your laptop doesn't. Any Debian/Ubuntu VPS with Docker installed works; see our Hetzner VPS setup guide for a walkthrough of provisioning the server itself, then follow the steps above once Docker is running on it. Lock down SSH access and firewall rules before pulling the Kali image — a fresh VPS running Metasploit listeners is not something you want reachable from the open internet.
Troubleshooting
Network tools report permission errors inside the container
Some network operations (raw sockets, packet capture) need extra capabilities Docker doesn't grant by default:
docker run -it --rm --cap-add=NET_ADMIN --cap-add=NET_RAW kalilinux/kali-rolling /bin/bashGUI applications fail with "cannot open display"
xhost +local:dockerInstalled tools disappear after restarting the container
You ran without --rm but started a fresh container instead of restarting the old one. List containers and restart the specific one instead of running a new instance:
docker ps -a
docker start -ai <container_id>DNS resolution fails inside the container
Some hosts (especially corporate or VPN-connected networks) don't pass DNS through to Docker's default bridge network correctly:
docker run -it --rm --dns=1.1.1.1 kalilinux/kali-rolling /bin/bashContainer image is much larger than expected after installing tools
Layers accumulate with every RUN instruction in a Dockerfile. Combine install commands into a single RUN line and clean the apt cache in the same layer to keep image size down:
RUN apt update && apt install -y nmap sqlmap && \
apt clean && rm -rf /var/lib/apt/lists/*