I see, that makes sense. Thank you.

Yes, rootless podman.

Just to see if I understood correctly: So your container is running as 999, and UserNS=keep-id:uid=999,gid=999 maps 999 (the user used inside the container) to the host (in my case 1000). So any files the container creates have their permission set to 1000 and can be read/modified by both the host user (1000) and the container. UserNS=keep-id:uid=999,gid=999 ONLY maps the UIDs and does not set the UID of the container.

I think I understand now, thanks for the example, that helped.

Thanks for the answer.

To 1. Maybe I worded that poorly, I do understand that I can’t take out the engine haha (good analogy). I thought gluetun was supposed to set the default route (but it seems it either doesn’t or can’t), I’ll dig deeper into manually setting a default route for containers. My goal was to only have gluetun see my computer’s network and have the containers only see local network and gluetun’s tun0 network (with default routing through tun0). AFAIK pods share network namespaces, though, so that might not be possible? (even without pods?)

2. The quadlets are in the spoiler at the bottom of the post. I’ll move the spoiler up a bit

3. So they would be rootless containers, but have root access as 0:0, if I understand that correctly? linuxserver images require 0:0 or they won’t start, do you happen to know a workaround?