diff --git a/examples/docker-compose/README.md b/examples/docker-compose/README.md
index 4b303694..5bca78aa 100644
--- a/examples/docker-compose/README.md
+++ b/examples/docker-compose/README.md
@@ -40,14 +40,21 @@
 
 ### Running `gitea-runner` using Docker-in-Docker (DIND)
 
+- `privileged` has to be set to `true` because in-container Docker daemon requires a lot of kernel capabilities and file system mounts like `procfs` and `sysfs`
+- `security_opt` sets the `apparmor` profile to `rootlesskit` for hosts running AppArmor (e.g. Ubuntu, Debian), where the kernel might otherwise block user namespace changes that Docker daemon requires for startup. The `rootlesskit` profile is provided by the `docker-ce-rootless-extras` package and is present on hosts where Docker was installed via the official installer or distro packages
+
 ```yml
 ...
   runner:
     image: gitea/runner:latest-dind-rootless
     restart: always
     privileged: true
+    security_opt:
+      - apparmor=rootlesskit
     depends_on:
-      - gitea
+      gitea:
+        condition: service_healthy
+        restart: true
     volumes:
       - ./data/runner:/data
     environment: