{"id":13582369,"url":"https://github.com/rootless-containers/rootlesskit","last_synced_at":"2026-04-09T21:09:48.257Z","repository":{"id":38804567,"uuid":"135564955","full_name":"rootless-containers/rootlesskit","owner":"rootless-containers","description":"Linux-native \"fake root\" for implementing rootless containers","archived":false,"fork":false,"pushed_at":"2026-02-09T09:06:51.000Z","size":3968,"stargazers_count":1190,"open_issues_count":50,"forks_count":112,"subscribers_count":15,"default_branch":"master","last_synced_at":"2026-02-09T13:49:09.839Z","etag":null,"topics":["rootless-containers"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rootless-containers.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2018-05-31T09:50:14.000Z","updated_at":"2026-02-09T09:06:09.000Z","dependencies_parsed_at":"2024-06-18T11:22:42.014Z","dependency_job_id":"f8ea23f2-a011-4a62-88d7-9e3ecf535a36","html_url":"https://github.com/rootless-containers/rootlesskit","commit_stats":{"total_commits":485,"total_committers":33,"mean_commits":"14.696969696969697","dds":0.4804123711340206,"last_synced_commit":"d942cd5880099d8ce0fddeef051cad4894eba25e"},"previous_names":[],"tags_count":63,"template":false,"template_full_name":null,"purl":"pkg:github/rootless-containers/rootlesskit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootless-containers%2Frootlesskit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootless-containers%2Frootlesskit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootless-containers%2Frootlesskit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootless-containers%2Frootlesskit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rootless-containers","download_url":"https://codeload.github.com/rootless-containers/rootlesskit/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootless-containers%2Frootlesskit/sbom","scorecard":{"id":705838,"data":{"date":"2025-08-11","repo":{"name":"github.com/rootless-containers/rootlesskit","commit":"3c8213d359b54284f4f0aa373ef9adb61d913e0e"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.7,"checks":[{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":6,"reason":"Found 3/5 approved changesets -- score normalized to 6","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yaml:23","Warn: no topLevel permission defined: .github/workflows/main.yaml:1","Warn: no topLevel permission defined: .github/workflows/release.yaml:1"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":10,"reason":"11 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":8,"reason":"5 out of the last 5 releases have a total of 5 signed artifacts.","details":["Info: signed release artifact: SHA256SUMS.asc: https://github.com/rootless-containers/rootlesskit/releases/tag/v2.3.5","Info: signed release artifact: SHA256SUMS.asc: https://github.com/rootless-containers/rootlesskit/releases/tag/v2.3.4","Info: signed release artifact: SHA256SUMS.asc: https://github.com/rootless-containers/rootlesskit/releases/tag/v2.3.3","Info: signed release artifact: SHA256SUMS.asc: https://github.com/rootless-containers/rootlesskit/releases/tag/v2.3.2","Info: signed release artifact: SHA256SUMS.asc: https://github.com/rootless-containers/rootlesskit/releases/tag/v2.3.1","Warn: release artifact v2.3.5 does not have provenance: https://api.github.com/repos/rootless-containers/rootlesskit/releases/217232649","Warn: release artifact v2.3.4 does not have provenance: https://api.github.com/repos/rootless-containers/rootlesskit/releases/204633374","Warn: release artifact v2.3.3 does not have provenance: https://api.github.com/repos/rootless-containers/rootlesskit/releases/204622619","Warn: release artifact v2.3.2 does not have provenance: https://api.github.com/repos/rootless-containers/rootlesskit/releases/195544697","Warn: release artifact v2.3.1 does not have provenance: https://api.github.com/repos/rootless-containers/rootlesskit/releases/170728214"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:9: update your workflow using https://app.stepsecurity.io/secureworkflow/rootless-containers/rootlesskit/main.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/rootless-containers/rootlesskit/main.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/rootless-containers/rootlesskit/main.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:226: update your workflow using https://app.stepsecurity.io/secureworkflow/rootless-containers/rootlesskit/main.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yaml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/rootless-containers/rootlesskit/release.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yaml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/rootless-containers/rootlesskit/release.yaml/master?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:10","Warn: containerImage not pinned by hash: Dockerfile:15","Warn: containerImage not pinned by hash: Dockerfile:21","Warn: containerImage not pinned by hash: Dockerfile:28","Warn: containerImage not pinned by hash: Dockerfile:36","Warn: containerImage not pinned by hash: Dockerfile:47","Warn: containerImage not pinned by hash: Dockerfile:49","Warn: containerImage not pinned by hash: Dockerfile:58","Warn: containerImage not pinned by hash: Dockerfile:94","Info:   0 out of   6 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   9 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-22T06:32:13.829Z","repository_id":38804567,"created_at":"2025-08-22T06:32:13.829Z","updated_at":"2025-08-22T06:32:13.829Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30167963,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-06T07:56:45.623Z","status":"ssl_error","status_checked_at":"2026-03-06T07:55:55.621Z","response_time":250,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["rootless-containers"],"created_at":"2024-08-01T15:02:39.183Z","updated_at":"2026-04-09T21:09:48.251Z","avatar_url":"https://github.com/rootless-containers.png","language":"Go","funding_links":[],"categories":["Go","others"],"sub_categories":[],"readme":"# RootlessKit: Linux-native fakeroot using user namespaces\n\nRootlessKit is a Linux-native implementation of \"fake root\" using  [`user_namespaces(7)`](http://man7.org/linux/man-pages/man7/user_namespaces.7.html).\n\nThe purpose of RootlessKit is to run [Docker](https://rootlesscontaine.rs/getting-started/docker/) and [Kubernetes](https://rootlesscontaine.rs/getting-started/kubernetes/) as an unprivileged user (known as \"Rootless mode\"), so as to protect the real root on the host from potential container-breakout attacks.\n\n\u003c!-- START doctoc generated TOC please keep comment here to allow auto update --\u003e\n\u003c!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --\u003e\n\n\n- [What RootlessKit actually does](#what-rootlesskit-actually-does)\n- [Similar projects](#similar-projects)\n- [Projects using RootlessKit](#projects-using-rootlesskit)\n- [Setup](#setup)\n  - [Requirements](#requirements)\n  - [subuid](#subuid)\n  - [sysctl](#sysctl)\n- [Usage](#usage)\n- [Full CLI options](#full-cli-options)\n- [State directory](#state-directory)\n- [Environment variables](#environment-variables)\n- [Additional documents](#additional-documents)\n\n\u003c!-- END doctoc generated TOC please keep comment here to allow auto update --\u003e\n\n## What RootlessKit actually does\n\nRootlessKit creates [`user_namespaces(7)`](http://man7.org/linux/man-pages/man7/user_namespaces.7.html) and [`mount_namespaces(7)`](http://man7.org/linux/man-pages/man7/mount_namespaces.7.html),\nand executes [`newuidmap(1)`](http://man7.org/linux/man-pages/man1/newuidmap.1.html)/[`newgidmap(1)`](http://man7.org/linux/man-pages/man1/newgidmap.1.html) along with [`subuid(5)`](http://man7.org/linux/man-pages/man5/subuid.5.html) and [`subgid(5)`](http://man7.org/linux/man-pages/man5/subgid.5.html).\n\nRootlessKit also supports isolating [`network_namespaces(7)`](http://man7.org/linux/man-pages/man7/network_namespaces.7.html) with userspace NAT using [\"slirp\"](./docs/network.md).\nKernel-mode NAT using SUID-enabled [`lxc-user-nic(1)`](https://linuxcontainers.org/lxc/manpages/man1/lxc-user-nic.1.html) is also experimentally supported.\n\n## Similar projects\n\nTools based on `LD_PRELOAD` (not enough to run rootless containers and yet lacks support for static binaries):\n* [`fakeroot`](https://wiki.debian.org/FakeRoot)\n\nTools based on `ptrace(2)` (not enough to run rootless containers and yet slow):\n* [`fakeroot-ng`](https://fakeroot-ng.lingnu.com/)\n* [`proot`](https://proot-me.github.io/)\n\nTools based on `user_namespaces(7)` (as in RootlessKit, but without support for `--copy-up`, `--net`, ...):\n* [`unshare -r`](http://man7.org/linux/man-pages/man1/unshare.1.html)\n* [`podman unshare`](https://github.com/containers/libpod/blob/master/docs/source/markdown/podman-unshare.1.md)\n* [`become-root`](https://github.com/giuseppe/become-root)\n\n## Projects using RootlessKit\n\nContainer engines:\n* [Docker/Moby](https://get.docker.com/rootless)\n* [Podman](https://podman.io/) (since Podman v1.8.0)\n* [nerdctl](https://github.com/containerd/nerdctl): Docker-compatible CLI for containerd\n* [iSulad](https://github.com/openeuler-mirror/iSulad/tree/master/docs/manual/rootless.md): a lightweight container engine\n\nContainer image builders:\n* [BuildKit](https://github.com/moby/buildkit): Next-generation `docker build` backend\n\nKubernetes distributions:\n* [Usernetes](https://github.com/rootless-containers/usernetes): Docker \u0026 Kubernetes, installable under a non-root user's `$HOME`.\n* [k3s](https://k3s.io/): Lightweight Kubernetes\n\n## Setup\n\nRun `make \u0026\u0026 sudo make install` .\n\nThe following binaries will be installed:\n- `/usr/local/bin/rootlesskit`\n- `/usr/local/bin/rootlessctl`\n- `/usr/local/bin/rootlesskit-docker-proxy` (DEPRECATED; Only required for Docker prior to [v28](https://github.com/moby/moby/pull/48132/commits/dac7ffa3404138a4f291c16586e5a2c68dad4151))\n\n### Requirements\n\n### subuid\n\n* `newuidmap` and `newgidmap` need to be installed on the host. These commands are provided by the `uidmap` package on most distributions.\n\n* `/etc/subuid` and `/etc/subgid` should contain more than 65536 sub-IDs. e.g. `penguin:231072:65536`. These files are automatically configured on most distributions.\n\n```console\n$ id -u\n1001\n$ whoami\npenguin\n$ grep \"^$(whoami):\" /etc/subuid\npenguin:231072:65536\n$ grep \"^$(whoami):\" /etc/subgid\npenguin:231072:65536\n```\n\nSee also https://rootlesscontaine.rs/getting-started/common/subuid/\n\n### sysctl\n\nOld distros may require setting up sysctl such as `kernel.unprivileged_userns_clone=1`:\nSee \u003chttps://rootlesscontaine.rs/getting-started/common/sysctl/\u003e.\n\n### AppArmor\n\nOn Ubuntu 24.04 or later, the `rootlesskit` binary is expected to be exactly under `/usr/bin`.\nTo install `rootlesskit` on other paths such as `/usr/local/bin`, you need to install a custom AppArmor profile.\nSee \u003chttps://rootlesscontaine.rs/getting-started/common/apparmor/\u003e.\n\n## Usage\n\nInside `rootlesskit bash`, your UID is mapped to 0 but it is not the real root:\n\n```console\n(host)$ rootlesskit bash\n(rootlesskit)# id\nuid=0(root) gid=0(root) groups=0(root),65534(nogroup)\n(rootlesskit)# ls -l /etc/shadow\n-rw-r----- 1 nobody nogroup 1050 Aug 21 19:02 /etc/shadow\n(rootlesskit)# cat /etc/shadow\ncat: /etc/shadow: Permission denied\n```\n\nEnvironment variables are kept untouched:\n\n```console\n(host)$ rootlesskit bash\n(rootlesskit)# echo $USER\npenguin\n(rootlesskit)# echo $HOME\n/home/penguin\n(rootlesskit)# echo $XDG_RUNTIME_DIR\n/run/user/1001\n```\n\nFilesystems can be isolated from the host with `--copy-up`:\n\n```console\n(host)$ rootlesskit --copy-up=/etc bash\n(rootlesskit)# rm /etc/resolv.conf\n(rootlesskit)# vi /etc/resolv.conf\n```\n\nYou can even create network namespaces with [Slirp](./docs/network.md):\n\n```console\n(host)$ rootlesskit --copy-up=/etc --copy-up=/run --net=slirp4netns --disable-host-loopback bash\n(rootleesskit)# ip netns add foo\n...\n```\n\n## Full CLI options\n\n```console\n$ rootlesskit --help\nNAME:\n   rootlesskit - Linux-native fakeroot using user namespaces\n\nUSAGE:\n   rootlesskit [global options] [arguments...]\n\nVERSION:\n   3.0.0\n\nDESCRIPTION:\n   RootlessKit is a Linux-native implementation of \"fake root\" using user_namespaces(7).\n   \n   Web site: https://github.com/rootless-containers/rootlesskit\n   \n   Examples:\n     # spawn a shell with a new user namespace and a mount namespace\n     rootlesskit bash\n   \n     # make /etc writable\n     rootlesskit --copy-up=/etc bash\n   \n     # set mount propagation to rslave\n     rootlesskit --propagation=rslave bash\n   \n     # create a network namespace with slirp4netns, and expose 80/tcp on the namespace as 8080/tcp on the host\n     rootlesskit --copy-up=/etc --net=slirp4netns --disable-host-loopback --port-driver=builtin -p 127.0.0.1:8080:80/tcp bash\n   \n   Note: RootlessKit requires /etc/subuid and /etc/subgid to be configured by the real root user.\n   See https://rootlesscontaine.rs/getting-started/common/ .\n\nOPTIONS:\n  Misc:                                                      \n    --debug                                                  debug mode (default: false)\n    --print-semver value                                     print a version component as a decimal integer [major, minor, patch]\n    --help, -h                                               show help\n    --version, -v                                            print the version\n                                                             \n  Mount:                                                     \n    --copy-up value [ --copy-up value ]                      mount a filesystem and copy-up the contents. e.g. \"--copy-up=/etc\" (typically required for non-host network)\n    --copy-up-mode value                                     copy-up mode [tmpfs+symlink] (default: \"tmpfs+symlink\")\n    --propagation value                                      mount propagation [rprivate, rslave] (default: \"rprivate\")\n                                                             \n  Network:                                                   \n    --net value                                              network driver [host, none, pasta(experimental), slirp4netns, vpnkit, lxc-user-nic(experimental), gvisor-tap-vsock(experimental)] (default: \"host\")\n    --mtu value                                              MTU for non-host network (default: 65520 for pasta and slirp4netns, 1500 for others) (default: 0)\n    --cidr value                                             CIDR for pasta, slirp4netns and gvisor-tap-vsock networks (default: 10.0.2.0/24)\n    --ifname value                                           Network interface name (default: tap0 for pasta, slirp4netns, and vpnkit; eth0 for lxc-user-nic)\n    --disable-host-loopback                                  prohibit connecting to 127.0.0.1:* on the host namespace (default: false)\n    --ipv6                                                   enable IPv6 routing. Unrelated to port forwarding. Only supported for pasta and slirp4netns. (experimental) (default: false)\n    --detach-netns                                           detach network namespaces  (default: false)\n                                                             \n  Network [lxc-user-nic]:                                    \n    --lxc-user-nic-binary value                              path of lxc-user-nic binary for --net=lxc-user-nic\n    --lxc-user-nic-bridge value                              lxc-user-nic bridge name (default: \"lxcbr0\")\n                                                             \n  Network [pasta]:                                           \n    --pasta-binary value                                     path of pasta binary for --net=pasta (default: \"pasta\")\n                                                             \n  Network [slirp4netns]:                                     \n    --slirp4netns-binary value                               path of slirp4netns binary for --net=slirp4netns (default: \"slirp4netns\")\n    --slirp4netns-sandbox value                              enable slirp4netns sandbox (experimental) [auto, true, false] (the default is planned to be \"auto\" in future) (default: \"false\")\n    --slirp4netns-seccomp value                              enable slirp4netns seccomp (experimental) [auto, true, false] (the default is planned to be \"auto\" in future) (default: \"false\")\n                                                             \n  Network [vpnkit]:                                          \n    --vpnkit-binary value                                    path of VPNKit binary for --net=vpnkit (default: \"vpnkit\")\n                                                             \n  Port:                                                      \n    --port-driver value                                      port driver for non-host network. [none, implicit (for pasta), builtin, slirp4netns, gvisor-tap-vsock(experimental)] (default: \"none\")\n    --publish value, -p value [ --publish value, -p value ]  publish ports. e.g. \"127.0.0.1:8080:80/tcp\"\n    --source-ip-transparent                                  preserve real client source IP using IP_TRANSPARENT (builtin port driver) (default: true)\n                                                             \n  Process:                                                   \n    --pidns                                                  create a PID namespace (default: false)\n    --cgroupns                                               create a cgroup namespace (default: false)\n    --utsns                                                  create a UTS namespace (default: false)\n    --ipcns                                                  create an IPC namespace (default: false)\n    --reaper value                                           enable process reaper. Requires --pidns. [auto,true,false] (default: \"auto\")\n    --evacuate-cgroup2 value                                 evacuate processes into the specified subgroup. Requires --pidns and --cgroupns\n                                                             \n  State:                                                     \n    --state-dir value                                        state directory\n                                                             \n  SubID:                                                     \n    --subid-source value                                     the source of the subids. \"dynamic\" executes /usr/bin/getsubids. \"static\" reads /etc/{subuid,subgid}. [auto,dynamic,static] (default: \"auto\")\n                                                             \n```\n\n## State directory\n\nThe following files will be created in the state directory, which can be specified with `--state-dir`:\n* `lock`: lock file\n* `child_pid`: decimal PID text that can be used for `nsenter(1)`.\n* `api.sock`: REST API socket. See [`./docs/api.md`](./docs/api.md) and [`./docs/port.md`](./docs/port.md).\n* `netns` (since v2.0.0): Detached NetNS. Created only with `--detach-netns`. Valid only in the child mount namespace.\n* `resolv.conf` (since v2.0.0): `resolv.conf` file. Bind-mounted to `/etc/resolv.conf` unles `--detach-netns` is specified.\n* `hosts` (since v2.0.0): `hosts` file. Bind-mounted to `/etc/hosts` unless `--detach-netns` is specified.\n\nIf `--state-dir` is not specified, RootlessKit creates a temporary state directory on `/tmp` and removes it on exit.\n\nUndocumented files are subject to change.\n\n## Environment variables\n\nThe following environment variables will be set for the child process:\n* `ROOTLESSKIT_STATE_DIR` (since v0.3.0): absolute path to the state dir\n* `ROOTLESSKIT_PARENT_EUID` (since v0.8.0): effective UID\n* `ROOTLESSKIT_PARENT_EGID` (since v0.8.0): effective GID\n\nUndocumented environment variables are subject to change.\n\n## Additional documents\n- [`./docs/network.md`](./docs/network.md): Networking (`--net`, `--mtu`, `--cidr`, `--disable-host-loopback`, `--slirp4netns-*`, ...)\n- [`./docs/port.md`](./docs/port.md): Port forwarding (`--port-driver`, `-p`, ...)\n- [`./docs/mount.md`](./docs/mount.md): Mount (`--propagation`, ...)\n- [`./docs/process.md`](./docs/process.md): Process (`--pidns`, `--reaper`, `--cgroupns`, `--evacuate-cgroup2`, ...)\n- [`./docs/api.md`](./docs/api.md): REST API\n- [`./docs/subid.md`](./docs/subid.md): Sub UIDs and sub GIDs\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frootless-containers%2Frootlesskit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frootless-containers%2Frootlesskit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frootless-containers%2Frootlesskit/lists"}