site
contact
newsKernel 4.14.74 enabled user namespaces
The 4.14.73 kernel was compiled only a few days ago:
http://bkhome.org/news/201809/kernel-41473-ethernet-bridge.html
It has namespaces support, all except user namespaces. Coz I had read various reports about user namespaces being trouble.
However, want to explore user namespace in containers, so have now
enabled it in the compile of the 4.14.74 kernel. That is the only
configuration difference.
General setup
Namespaces support
[*] User namespaces
With so much happening, should think about getting out the next Easy, version 0.9.7, soon.
EDIT 2018-10-8
Reverted, going back to the 4.14.73 kernel with user namespaces
disabled. Will keep it disabled for future compiles of the kernel. Have
been reading some more, and user namespaces seem like asking for
trouble. Plus, as already running as root in Easy, there doesn't seem
much point in having user namespaces.
What I do want to be able to do is optionally run as user 'zeus' in
containers. I was unable to get pflask to do that. rather than get tied
up trying to "fix" pflask, perhaps this is a satisfactory workaround:
# pflask -- chroot --userspec=zeus:zeus /mnt/sdc2/containers/sh0/container whoami
zeus
Well, that's a starting point, but has limitations. If pflask drops
capabilities, will have to make sure that still has the capability to do
a chroot and change user:group -- which, oddly, may mean zeus will end
up with more capabilities than the "crippled root" -- though, a
start-script in the container could drop more capabilities.
Also, the full 'chroot' from 'coreutils' package is required, as the busybox applet does not support that commandline option.
Tags: easy