Filesystem images and unprivileged containers

My experience with unprivileged containers is that one only needs root to workaround bad assumptions in some applications. There is code that assumes that if uid is not 0, then the operation cannot run. For example, sshd from OpenSSH refuses to run as non-root user if its config contains ChangeRoot directive. But those assumptions are wrong under Linux as with capabilities one can give arbitrary selective privileges to any process without making it root. To support such cases one wants unprivileged root for a container.

But that does not require universal user namespaces that remaps other users. Remapping just root is enough and presumably could be implemented with much simpler code than the current complexity of the universal map.