Hi,

I'm trying to understand something about how capabilities in rootless podman work.

How does rootless podman have the capability to set up container mounts (such as cgroup mounts) given a privileged container itself doesn't? Does podman deliberately drop caps, or somehow get elevated privileges to do this?

This is the process tree podman sets up (where bash is the container entrypoint here):
systemd(1)---conmon(1327421)---bash(1327432)

I'm assuming it's conmon that sets up the container's mounts (via runc in this case), which is a process running as my user (rootless). How is it that conmon has the capabilities required (SYS_ADMIN?) to create the container's cgroup and sysfs mounts but within the container itself this is not possible?

Thanks for any insight!

Lewis