Question 310 of 527
Manage containershardMultiple SelectObjective-mapped

Quick Answer

The answer is to enable user namespaces in the kernel, run `loginctl enable-linger` for the user, and configure the `subuid` and `subgid` mappings. These three actions are required to enable a non-root user for Podman rootless containers on RHEL 8 because rootless Podman relies on user namespaces to map the container’s root user to an unprivileged host user, while `loginctl enable-linger` ensures the user’s systemd user instance persists after logout, allowing containers to run as systemd services. On the Red Hat Certified System Administrator EX200 exam, this scenario tests your understanding of container runtime security and user namespace configuration, often appearing as a multi-select question where a common trap is forgetting the `subuid` and `subgid` entries in `/etc/subuid` and `/etc/subgid`. Remember the mnemonic “Linger, Map, Namespace” to recall the three pillars: linger for systemd persistence, mapping for UID/GID delegation, and namespace for kernel isolation.

EX200 Manage containers Practice Question

This EX200 practice question tests your understanding of manage containers. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Which THREE actions are required to enable a non-root user to run containers using Podman on Red Hat Enterprise Linux 8?

Question 1hardmulti select
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Ensure the user has a running systemd user instance (loginctl enable-linger).

Option A is correct because `loginctl enable-linger` ensures that the user's systemd user instance starts at boot and remains running after the user logs out. This is required for Podman to manage containers using systemd user services, such as auto-starting containers with `podman generate systemd`.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Ensure the user has a running systemd user instance (loginctl enable-linger).

    Why this is correct

    Enables systemd --user for managing containers.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Configure subordinate UID and GID ranges for the user in /etc/subuid and /etc/subgid.

    Why this is correct

    Required for user namespace mapping.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Add the user to the 'docker' group to access the Docker socket.

    Why it's wrong here

    Podman does not use the Docker socket by default.

  • Enable user namespaces in the kernel if not already enabled.

    Why this is correct

    User namespaces are typically enabled, but must be checked.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Grant the user sudo privileges to run podman commands.

    Why it's wrong here

    Rootless podman does not require sudo.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates may think adding a user to the 'docker' group is required for Podman, but Podman uses a different architecture (no daemon, no socket) and relies on user namespaces and subordinate ID ranges for rootless operation.

Detailed technical explanation

How to think about this question

User namespaces allow a non-root user to map UIDs and GIDs inside the container to a range of subordinate UIDs/GIDs on the host, defined in `/etc/subuid` and `/etc/subgid`. The kernel must have user namespaces enabled (CONFIG_USER_NS=y), which is the default in RHEL 8, but if disabled via `user.max_user_namespaces=0`, rootless Podman will fail. The `newuidmap` and `newgidmap` setuid helpers use these mappings to create the container's user namespace.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related EX200 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free EX200 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this EX200 question test?

Manage containers — This question tests Manage containers — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Ensure the user has a running systemd user instance (loginctl enable-linger). — Option A is correct because `loginctl enable-linger` ensures that the user's systemd user instance starts at boot and remains running after the user logs out. This is required for Podman to manage containers using systemd user services, such as auto-starting containers with `podman generate systemd`.

What should I do if I get this EX200 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on EX200

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A system administrator wants to run a container that uses the rootless mode available in Podman. Which requirement must be met for rootless containers to work correctly?

easy
  • A.The container must be run with the '--privileged' flag.
  • B.The user must have entries in /etc/subuid and /etc/subgid for user namespace mapping.
  • C.The system must have cgroups v2 enabled.
  • D.The user must have root privileges to run the container.

Why B: Rootless Podman containers require user namespace mapping to assign subordinate UIDs and GIDs from the host to the container. Without entries in /etc/subuid and /etc/subgid for the user, Podman cannot allocate the necessary ID ranges, and the container will fail to run in rootless mode.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This EX200 practice question is part of Courseiva's free Red Hat certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the EX200 exam.