Currently, docker containers that run within each Type-1 VM run in privileged mode. This isn't ideal from a Defense-in-Depth perspective. The plan is to implement the following guidance such that each application-level container runs in a non-root user namespace.
Run the Docker daemon as a non-root user (Rootless mode)
Run the Docker daemon as a non-root user (Rootless mode)
How to Run Docker in Rootless Mode
How to run Docker containers on Linux without root privileges.
In the meantime, I need to implement user namespaces/UID/GUID mapping.
The current blocker for this is rootless and does not support overlay networks.