Unprivileged versus privileged containers
Unprivileged containers are when the container is created and run as a user as opposed to the root. This is the safest way to use a container, because if the container security gets compromised and the intruder breaks out of the container, they will find themselves as a nobody user with extremely limited privileges. Unprivileged containers do not need to be owned by the user since they are run in user namespaces. This is a kernel feature that allows the mapping of a UID of a physical host into a namespace inside where a user with a UID 0 can exist. Unprivileged containers can also be run as root. By assigning a specific UID and GID to root, we can create unprivileged containers throughout the system and run them as root.
Privileged containers are when they are created and run by the root user only. These containers are not secure because all the processes are still run as root. All containers created through the Proxmox GUI or pct tools are privileged...
