Frequently Asked Question

What is a rootless container and why would I want one?

Traditional Docker runs a long-lived daemon as root. Anyone who can talk to the Docker socket effectively has root on the host, because they can mount the host filesystem into a container and write to it. That is a large privilege boundary to give every developer on a shared box. Rootless containers flip this around: the container engine itself runs as an ordinary user, and inside the container the process thinks it is root (UID 0) thanks to a user namespace, but on the host it is mapped to a normal unprivileged user.

Podman has been rootless-first since its inception; Docker added rootless mode in 2020. The plumbing is non-trivial, slirp4netns or pasta for usermode networking, fuse-overlayfs for unprivileged overlay mounts, sub-UID/sub-GID ranges in /etc/subuid and /etc/subgid for the user-namespace mapping, but the end result is that a container escape buys an attacker only your user account, not the whole machine. On shared CI runners, multi-tenant developer workstations, and lab clusters, rootless is a significant hardening step for a modest amount of setup.