Open an issue to request explaining more.



Control groups, used for limiting resource usage of containers.

Using cgroups is considered to be optional for Rootless Containers.



In the context of Cgroup, delegation means allowing non-root users to modify Cgroup configuration to impose limits on consumption of CPU, memory, I/O, and PIDs.

Delegation typically needs cgroup v2 and systemd.



Filesystem in User Space.

While mounting kernel-mode filesystems inside User Namespaces is almost unsupported, mounting FUSE is supported since kernel 4.18.


A FUSE implementation of OverlayFS.

Web site:

FUSE-OverlayFS is mostly used for allowing rootless OverlayFS on old kernels (< 5.11).

See How it works/OverlayFS.


Network Namespaces

See How it works/Network Namespaces.

newuidmap & newgidmap

See How it works/User Namespaces.



See How it works/Network Namespaces/Outgoing Connections.



A sandbox container used for implementing multi-container networking for Podman.

Web site:

Rootless Containers

When we say Rootless Containers, it means running the entire container runtime as well as the containers without the root privileges.

Even when the containers are running as non-root users, when the runtime is still running as the root, we don’t call them Rootless Containers.

See the top page for the further information.


RootlessKit is a tool that helps setting up User Namespaces with slirp and port forwarding.

Web site:



A binary file with SETUID bit is executed as the file owner. SETUID is typically used for allowing non-root users to execute specific binary with the root privileges.

Executing SETUID binaries is dangerous; Rootless Containers typically do not use any SETUID binary, with a small number of exceptions such as newuidmap and newgidmap.


A technique to translate Ethernet packets to unprivileged TCP/IP socket syscalls. Widely used by virtual machine implementations such as QEMU and Rootless Container implementations.

Note that the modern usage of “slirp” has signifantly changed since the original release of “slirp” in 1995. The original slirp in 1995 was used for connecting PCs w/o Ethernet devices to the Internet via a dial-up shell account, by emulating SLIP/PPP.

As of 2020, “slirp” is rarely used in conjunction with SLIP/PPP.

See also How it works/Network Namespaces.


Our implementation of slirp optimized for Rootless Containers. Used by Docker/Moby (when installed) and Podman.

Web site:

See also How it works/Network Namespaces.

subuid & subgid

See How it works/User Namespaces.



In the context of containers, “unprivileged” can have (at least) three different meanings:

  1. Running a Docker/Podman container without docker run --privileged, or running a Kubernetes container without securityContext.privileged=true
  2. Running a LXC container as a non-root user (and by a non-root user, typically)
  3. Running a LXD container as a non-root user but keep the LXD daemon running as the root

Only the second meaning falls into the scope of Rootless Containers.

User Namespaces

See How it works/User Namespaces.


An OCaml implementation of slirp, used by Rootless Docker/Moby when slirp4netns is not installed.

Aside from Rootless Docker/Moby, VPNKit is also used by Docker for Mac/Win for connecting the LinuxKit VM to the Internet.

See also How it works/User Namespaces.

Web site:



The equivalent of /var/run for non-root users. Typically set to /run/user/$UID.

See Getting Started/Common/Login