I have just released a small #RustLang library for running commands as root as an unprivileged user - aka #rootless. 
https://crates.io/crates/rootless-run/0.1.0
It has been created in the context of the #ALPM project to allow running commands using #fakeroot or #rootlesskit and paves the way for a simple Rust-based implementation.
In the future we plan to use it in the ALPM project to run commands that require root as unprivileged user.
Got analogic/poste.io #email container running #rootless on a #podman stack on a new #VPS...
Having bruises on my forehead trying to get it running (successfully) for like three days with #docker
Practice makes barely competent it looks like.
Success!
Will probably have to use my 'mail seeder script' over the next few days so big hosts accept the new domain as legit.
I got DKIM keys and SPF up already set up.
Hi @lproven,
nice! I'm using several #CGIs #RFC3875 for personal (scaled to n=1) web applications - be it (ephemeral) #QRCode https://qr.mro.name, #GeoHash https://mro.name/g/u28br conversion, a #nodb guestbook https://codeberg.org/jugendhacktlab.qdrei.info/gaestebuch, a personal #ActivityPub server @aSeppoToTry or the hacky video-office-hours reservation system https://mro.name/sprechstunde. Once there even was a #HaveIBeenPwnd proof of concept https://blog.mro.name/2022/08/pwned-diy.
They're #rootless deployments running on #shared #hosting (except qrcodes and HaveIBeenPwnd).
Instead of disabling unprivileged user namespaces plain and simple, Ubuntu since 24.04 restricts them with an AppArmor profile, which is known to be insufficient:
https://seclists.org/oss-sec/2025/q1/253
Yet, people writing code relying on unprivileged user namespaces have to deal with Ubuntu specifics where things don’t behave as documented. Latest example:
https://codeberg.org/guix/guix/issues/679#issuecomment-5659997
How do folks deal with it?
Hi! In case you missed, my #FOSDEM talk about creating a #rootless #container manager from scratch is available!
We'll talk about the basic principles to build your own container manager, using #lilipod as an example project:
EDIT: Problem solved, by changing the VM OS from alpinelinux to fedora-server
---
So far I spent almost my whole afternoon trying to get #UptimeKuma running as a #rootless #podman #container on a #alpinelinux #VM to successfully ping some machines to be monitored.
And so far I’m loosing the battle. If anyone has an idea or a pointer to a possible solution, I would be very happy.
It has landed. As I run my own #Forgejo instance as a #rootless container on my #RHEL (Red Hat Enterprise Linux) server, all it took was
#> systemctl stop forgejo
#> podman pull codeberg.org/forgejo/forgejo:7-rootless
#> systemctl start forgejo
And done. Updated to 7.0.3 :)
Release notes at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-3
Thank you to all that made it happen, @forgejo :)
Bueno, ya he eliminado todas las entradas del DNS con subdominios y solo he dejado dos wildcard, uno para lo expuesto y otro para lo interno
Para lo expuesto lo paso por npm (no me gusta que no tenga waf o mas opciones de seguridad), y para lo interno traefik tirando de las labels de los contendores
Por el camino he borrado todos los tunnels de cloudflare.
Siguiente paso, crear todos los usuarios y montar contenedores por tematica en usuarios aislados
Anyone running #PaperlessNGX #rootless using #Podman and #PodmanCompose under #Debian12? The volumes I'm mapping to the host always get chowned to 100999:100999, and that's with USERMAP_UID=1000 and USERMAP_GID=1000 in docker-compose.env.
Playing around with PODMAN_USERNS mainly leads to the container not starting at all (in at least one case because it can't install packages).
Hmm ... #minicube on top of #rootless @Podman_io isn't well matured yet?
For the past 12 days I was debugging why on earth #podman doesn’t want to build #rootless images.
Turns out:
1) DBUS_SESSION_BUS_ADDRESS has a value that’s not expected by podman.
2) since all my dotfiles are being grouped in a subdirectory. And have them linked to where their apps expect them to be. The #SELinux was preventing images from having the required permissions.
SELinux is one of main reasons why I use #Fedora , yet it can be a headache if you mess with it indirectly.
Aw, it works now
Networking in rootless Podman 4.x
If you're coming from 3.x, check if your /etc/containers/containers.conf has the new netavark/aardvark networking backend:
[network]
network_backend = "netavark"
The alternative is "cni", which is the default in 3.x. But it can break in root-less setups due to /etc/cni.d not being readable.
Check your system config with `podman system info | grep -A 8 "networkBackend"`:
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns-1.7.0-1.fc38.x86_64
path: /usr/libexec/podman/aardvark-dns
version: aardvark-dns 1.7.0
package: netavark-1.7.0-1.fc38.x86_64
path: /usr/libexec/podman/netavark
version: netavark 1.7.0
I'm speaking at #devconf about #rootless #podman this afternoon. There will be a live stream, so tune in if you want! I'm convinced we all need to use less root in our lives 
https://devconfcz2023.sched.com/event/1MYkl/rootful-networking-with-rootless-podman-containers
After reading a lot of Dan Walsh's articles on the matter, for the first time in my life I feel like understanding #containers, #podman, #docker, #rootful and #rootless, and how they differ in Docker vs. Podman. Which just means I misunderstood enough to be dangerous.
(tbf, I come from a probably not-so-common perspective of having had an okayish grasp of user namespaces but didn't grok podman.)
Rootless Podman
Mit etwas Vorbereitung ist es möglich Podman Container als regulärer Benutzer auszuführen.
