DevOps · Flashcard

Which kernel feature lets rootless Podman map container root to an unprivileged user?

  • AUser namespaces — they remap container UIDs onto the host's unprivileged range
  • BControl groups — they cap the CPU and memory a container is allowed to consume
  • CSeccomp filters — they restrict which system calls a container may invoke
  • DCapabilities — they split root's powers into individually grantable privileges

Why this is the answer

User namespaces remap the container's UIDs (including root) to unprivileged host UIDs, enabling rootless mode. cgroups limit resources, seccomp filters syscalls, and capabilities split root's powers — useful, but none provides the UID remapping rootless relies on.

Official docs
Study in Gnoseed →