Rootlesskit

Version: 2.3.5 Linux containers

RootlessKit is a Linux-native implementation of “fake root” using user_namespaces(7).

The purpose of RootlessKit is to run Docker and Kubernetes as an unprivileged user (known as “Rootless mode”), so as to protect the real root on the host from potential container-breakout attacks.

RootlessKit creates user_namespaces(7) and mount_namespaces(7), and executes newuidmap(1)/newgidmap(1) along with subuid(5) and subgid(5).

RootlessKit also supports isolating network_namespaces(7) with userspace NAT using “slirp”. Kernel-mode NAT using SUID-enabled lxc-user-nic(1) is also experimentally supported.

Installation Instructions

Linux

Download Rootlesskit

{
  "url": "{{ .SVar `.tool.rootlesskit.download.url` }}",
  "destination_folder": "{{ .PDownloads }}",
  "output_filename": "{{ .SVar `.tool.rootlesskit.download.filename` }}",
  "overwrite": false
}

Extract Rootlesskit Release

{
  "destination": "{{ .PTools }}/rootlesskit/{{ .SVar `.tool.rootlesskit.download.version` }}",
  "skip_symlinks": true,
  "preserve_permissions": true,
  "remove_existing": true,
  "source": "{{ .PDownloads }}/{{ .SVar `.tool.rootlesskit.download.filename` }}"
}

Binaries

rootlessctl
rootlesskit
rootlesskit-docker-proxy