https://www.freedesktop.org/software/systemd/man/devel/systemd-nsresourced.service.html
systemd-nsresourced is a system service that permits transient delegation of a UID/GID range to a user namespace (see user_namespaces(7)) allocated by a client, via a Varlink IPC API.
Unprivileged clients may allocate a user namespace, and then request a UID/GID range to be assigned to it via this service. The user namespace may then be used to run containers and other sandboxes, and/or apply it to an id-mapped mount.
https://www.freedesktop.org/software/systemd/man/devel/systemd-nsresourced.service.html