Oh! This reminds me; I know people ran into problems running docker on Fedora 31; perhaps we should add this to the docs and release notes 👍 I'll have a look at creating PR's for that

Should we update the dockerd-rootless.sh script to always add --experimental ? (if needed, we can make it print some warnings that rootless is still experimental)

I think we intentionally omitted that for keeping the script simple.
Users don't need to care in most cases, because the installer script creates the systemd unit file with --experimental

🤔 we could create a script that directly calls the API, and disables mount masks.

Could actually be a CLI plugin 🤔🤔

we already have --security-opt systempaths=unconfined, but seems not enough

$ docker run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --security-opt systempataths=unconfined --cap-add all docker:19.03.3-dind-rootless --experimental
...
mount: permission denied (are you root?)
time="2019-10-13T11:15:55Z" level=warning msg="failed to mount sysfs ([[mount -t sysfs none /sys]]), falling back to read-only mount ([[mount -t sysfs -o ro none /sys]]): exit status 1"
open: No such file or directory
[rootlesskit:child ] error: executing [[ip tuntap add name tap0 mode tap] [ip link set tap0 address 02:50:00:00:00:01]]: exit status 1

Interesting 🤔

setcap may not installed on all systems per default. You can do this conditionally by something like:

sudo if command -v setcap > /dev/null && sudo setcap cap_net_bind_service=ep $HOME/bin/rootlesskit

Anyway ... if the rootlesskit gets redeployed, the capabilities needs to be also set again. So using sysctl is the permanent way, but also less secure.