> I'n not sure about the reasoning, but it's probably a combo of "not trusting user namespaces" (disagree) and user namespaces requiring privileges to use.
binctr looks like an interesting solution to tackle this issue.
Or https://rootlesscontaine.rs/ [1]. runc has had upstream support for this for quite a while (binctr predates it by a bit, but the LXC support for it predates all of this by several years). If you want to run this in production, please use this -- or LXC -- rather than the PoC that Jess wrote a few years ago. umoci[2] also has rootless support (though it doesn't use user namespaces) for image manipulation (extraction and diff generation).
I worked quite a bit on getting this userspace stuff together (though of course the kernel work was done by much more clever people than myself :P).
I worked quite a bit on getting this userspace stuff together (though of course the kernel work was done by much more clever people than myself :P).
[1]: https://github.com/rootlesscontainers [2]: https://github.com/openSUSE/umoci