Rootless containers feature merged into runC

One thing that really excites me about getting this into runC is that now we can work on making other parts of container orchestration and management run as an unprivileged user.<p>Huge props to the Cloud Foundry team who already have taken rootless containers and have some experimental support for them[1]. It&#x27;d be awesome if we could do something similar to Kubernetes so that you could start clusters as an unprivileged user (in my mind the networking is the hardest part and I think the only way right now is to implement pseudo-bridge interfaces in userspace). But I&#x27;m pretty excited about the possibilities. :P<p>[1]: <a href="https:&#x2F;&#x2F;github.com&#x2F;cloudfoundry&#x2F;garden-runc-release&#x2F;blob&#x2F;develop&#x2F;docs&#x2F;rootless-containers.md" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;cloudfoundry&#x2F;garden-runc-release&#x2F;blob&#x2F;dev...</a>

What is the status of TCP&#x2F;IP networking in rootless runC? How can incoming and outgoing connections be restricted?

related talk cyphar gave at linux.conf.au 2017 on this topic: <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=r6EcUyamu94" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=r6EcUyamu94</a>

A semi off-topic note:<p>As shown in the linked thread, this Hacker News submission was promoted via an image of the submitted link in &#x2F;newest. This is a modern form of vote manipulation (although in this case perhaps unintentionally) which seems to be the rage nowadays, especially on a certain other social-voting website. (The content of the submission is good&#x2F;important regardless, but others should keep in mind that this form of voting manipulation isn&#x27;t clever)

This is huge, major props to cyphar and the runC folks. Congrats! The result of 11mo of dev work. Dope AF.

If a rootless container process runs as the root user and can&#x27;t be switched, is it considered to be &quot;root&quot; as far as the kernel is concerned? As in, does it have access to root-only kernel features (like the root keychain)?

Is rootless containers safe now? It is not turned on by default in ArchLinux because of security concerns[1].<p>[1]: <a href="https:&#x2F;&#x2F;bugs.archlinux.org&#x2F;task&#x2F;36969" rel="nofollow">https:&#x2F;&#x2F;bugs.archlinux.org&#x2F;task&#x2F;36969</a>

what is the diffference between runc and rkt? they both implement OCI right?