[the8472]

The problem with rootless is that you don't get a native network stack since setting up bridges and veth devices still requires some elevated capabilities. But instead of running full root this could be outsourced to a helper executable with some caps set (a narrower version of suid).

> Permission issues with bind mounts just totally disappear when you go rootless.

Recent kernel versions have gained uid mapping capabilities on mounts. Hopefully future docker will make use of it. Then we can run entire containers as different users.

[phoronixrly]

TBH I don't want to expose the native network stack to containers

[the8472]

If your concern is kernel attack surface then I have bad news for you. Inside the container's network namespace it's still using standard syscalls. Only on the host side it takes a detour through userspace. So you get all the downsides, none of the native performance and very few upsides. It only benefits firewalls that still assume a machine has a single network interface without bridging/natting/forwarding.