Last month Linux kernel 5.11 was released including support for
overlayfs from unprivileged user namespaces:
https://kernelnewbies.org/Linux_5.11#Unprivileged_Overlayfs_mounts The work was done by Eric Beiderman and Miklos Szeredi of Red Hat so
I think there's a pretty good chance that it will get backported to
Red Hat kernels, at least for RHEL8 if not RHEL7.
Also, kernel 5.0 from March 2019 added seccomp user notification, a new
way to emulate system calls in userspace that's more efficient than
ptrace. It was integrated into the OCI runtime spec two days ago:
https://github.com/opencontainers/runtime-spec/pull/1074 and there's a github repo making a multi-uid container implementation
without needing /etc/subuid and /etc/subgid:
https://github.com/rootless-containers/subuidless
Also somebody else at the talk pointed out this alternate runc
implementation that allows running other container runtimes inside it.
It runs privileged itself I believe, but it claims to fully protect the
host.
https://github.com/nestybox/sysbox