In many cases, people want to start containers on a system where the administrator is not happy about granting privileges to users or installing any new software. For example, when I was a researcher and wanted to run Python 3 on a computing cluster it was not possible to get the administrator to install Docker or Python 3.

In recent Linux kernels, it has been possible to create containers without any privileges. All that's missing is a container runtime that allows you to do this. LXC is close but falls short (it requires certain privileged processes and PAM modules for everything to work).

The current state of the work is available here. All of the basics work properly, but there's lots of unresolved things left to deal with (as well as lots of cleanup to be done). In addition, certain tools don't work as expected in a rootless container (such as anything that tries to use the unix privilege model). So, I've started work on a tool to fix that issue as well.

I also would like to write some blog posts about all of this work.