Rootless containers uses user_namespaces(7)(UserNS) for emulating fake privileges that are enough to create containers. e.g. map UID 1000 to pseudo-root UID 0 in the UserNS: $ whoami user1 $ id -u 1000 $ unshare --user --map-root-user # cat /proc/self/uid_map 0 1000 1 # cat /proc/self/gid_map 0 1000 1 # id -u 0 The pseudo-root user gains capabilities such as CAP_SYS_ADMIN and CAP_NET_ADMIN inside UserNS to perform fake-privileged operations such as creating mount namespaces, network namespace...| Rootless Containers