{"guid":"3b3efc57-2a06-5099-b726-fa9ceb4b24f5","title":"Unprivileged Containers, with Transient User Namespaces and ID Mapping, but Without SETUID Binaries","subtitle":null,"slug":"all-systems-go-2025-353-unprivileged-containers-with-transient-user-namespaces-and-id-mapping-but-without-setuid-binaries","link":"https://cfp.all-systems-go.io/all-systems-go-2025/talk/E7FHPY/","description":"Many traditional container engines make use of the \"subuid\" concept and the \"newuidmap\" tool to implement a concept of \"unprivileged\" user-namespace containers on Linux. This approach has many shortcomings in my PoV, from both a security and scalability standpoint.\n\nRecent systemd versions provide a more powerful, more secure, mor scalable alternative, via systemd-nsresourced, systemd-mountfsd and other components.\n\nIn this talk I want to shed some light on the problems with the \"old ways\", and in particular focus on what the \"new ways\" bring to the table, and how to make use of them in container runtimes.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/de/","original_language":"eng","persons":["Lennart Poettering"],"tags":["353","2025","asg2025","Loft","asg2025-eng","asg2025","Day 2"],"view_count":175,"promoted":false,"date":"2025-10-01T10:00:00.000+02:00","release_date":"2025-10-01T00:00:00.000+02:00","updated_at":"2026-03-04T11:15:09.163+01:00","length":2513,"duration":2513,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/353-3b3efc57-2a06-5099-b726-fa9ceb4b24f5.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/353-3b3efc57-2a06-5099-b726-fa9ceb4b24f5_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/353-3b3efc57-2a06-5099-b726-fa9ceb4b24f5.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2025/353-3b3efc57-2a06-5099-b726-fa9ceb4b24f5.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/all-systems-go-2025-353-unprivileged-containers-with-transient-user-namespaces-and-id-mapping-but-without-setuid-binaries","url":"https://api.media.ccc.de/public/events/3b3efc57-2a06-5099-b726-fa9ceb4b24f5","conference_title":"All Systems Go! 2025","conference_url":"https://api.media.ccc.de/public/conferences/asg2025","related":[],"recordings":[{"size":234,"length":2513,"mime_type":"video/webm;codecs=av01","language":"eng","filename":"asg2025-353-eng-Unprivileged_Containers_with_Transient_User_Namespaces_and_ID_Mapping_but_Without_SETUID_Binaries_av1-hd.webm","state":"new","folder":"av1-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-10-01T12:01:30.496+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2025/av1-hd/asg2025-353-eng-Unprivileged_Containers_with_Transient_User_Namespaces_and_ID_Mapping_but_Without_SETUID_Binaries_av1-hd.webm","url":"https://api.media.ccc.de/public/recordings/91853","event_url":"https://api.media.ccc.de/public/events/3b3efc57-2a06-5099-b726-fa9ceb4b24f5","conference_url":"https://api.media.ccc.de/public/conferences/asg2025"},{"size":28,"length":2513,"mime_type":"audio/opus","language":"eng","filename":"asg2025-353-eng-Unprivileged_Containers_with_Transient_User_Namespaces_and_ID_Mapping_but_Without_SETUID_Binaries_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2025-10-01T11:47:06.822+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2025/opus/asg2025-353-eng-Unprivileged_Containers_with_Transient_User_Namespaces_and_ID_Mapping_but_Without_SETUID_Binaries_opus.opus","url":"https://api.media.ccc.de/public/recordings/91850","event_url":"https://api.media.ccc.de/public/events/3b3efc57-2a06-5099-b726-fa9ceb4b24f5","conference_url":"https://api.media.ccc.de/public/conferences/asg2025"},{"size":38,"length":2513,"mime_type":"audio/mpeg","language":"eng","filename":"asg2025-353-eng-Unprivileged_Containers_with_Transient_User_Namespaces_and_ID_Mapping_but_Without_SETUID_Binaries_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2025-10-01T11:47:02.924+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2025/mp3/asg2025-353-eng-Unprivileged_Containers_with_Transient_User_Namespaces_and_ID_Mapping_but_Without_SETUID_Binaries_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/91849","event_url":"https://api.media.ccc.de/public/events/3b3efc57-2a06-5099-b726-fa9ceb4b24f5","conference_url":"https://api.media.ccc.de/public/conferences/asg2025"},{"size":111,"length":2513,"mime_type":"video/webm","language":"eng","filename":"asg2025-353-eng-Unprivileged_Containers_with_Transient_User_Namespaces_and_ID_Mapping_but_Without_SETUID_Binaries_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2025-10-01T12:35:04.261+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2025/webm-sd/asg2025-353-eng-Unprivileged_Containers_with_Transient_User_Namespaces_and_ID_Mapping_but_Without_SETUID_Binaries_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/91867","event_url":"https://api.media.ccc.de/public/events/3b3efc57-2a06-5099-b726-fa9ceb4b24f5","conference_url":"https://api.media.ccc.de/public/conferences/asg2025"},{"size":307,"length":2513,"mime_type":"video/webm","language":"eng","filename":"asg2025-353-eng-Unprivileged_Containers_with_Transient_User_Namespaces_and_ID_Mapping_but_Without_SETUID_Binaries_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-10-01T12:25:11.936+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2025/webm-hd/asg2025-353-eng-Unprivileged_Containers_with_Transient_User_Namespaces_and_ID_Mapping_but_Without_SETUID_Binaries_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/91864","event_url":"https://api.media.ccc.de/public/events/3b3efc57-2a06-5099-b726-fa9ceb4b24f5","conference_url":"https://api.media.ccc.de/public/conferences/asg2025"},{"size":90,"length":2513,"mime_type":"video/mp4","language":"eng","filename":"asg2025-353-eng-Unprivileged_Containers_with_Transient_User_Namespaces_and_ID_Mapping_but_Without_SETUID_Binaries_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2025-10-01T11:53:41.077+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2025/h264-sd/asg2025-353-eng-Unprivileged_Containers_with_Transient_User_Namespaces_and_ID_Mapping_but_Without_SETUID_Binaries_sd.mp4","url":"https://api.media.ccc.de/public/recordings/91852","event_url":"https://api.media.ccc.de/public/events/3b3efc57-2a06-5099-b726-fa9ceb4b24f5","conference_url":"https://api.media.ccc.de/public/conferences/asg2025"},{"size":254,"length":2513,"mime_type":"video/mp4","language":"eng","filename":"asg2025-353-eng-Unprivileged_Containers_with_Transient_User_Namespaces_and_ID_Mapping_but_Without_SETUID_Binaries_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-10-01T11:43:51.217+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2025/h264-hd/asg2025-353-eng-Unprivileged_Containers_with_Transient_User_Namespaces_and_ID_Mapping_but_Without_SETUID_Binaries_hd.mp4","url":"https://api.media.ccc.de/public/recordings/91845","event_url":"https://api.media.ccc.de/public/events/3b3efc57-2a06-5099-b726-fa9ceb4b24f5","conference_url":"https://api.media.ccc.de/public/conferences/asg2025"}]}