[agartner]

singularity does partially support running without suid: https://github.com/sylabs/singularity/issues/1258

charliecloud is designed specifically not to need suid: https://github.com/hpc/charliecloud

docker will hopefully support full unprivileged use soon: https://github.com/moby/moby/pull/38050

[cyphar]

The Docker work is a direct derivative of the rootless containers work I started more than 2 years ago (and others have been working on before and since), which is what this blog post refers to.

Singularity didn't exist at the time in any meaningful way, and suid binaries (even a small number) are completely unacceptable for the usecases I had.

[mroche]

Thanks for those, I’ll read through them when I get the chance!