Still no user namespace support? I don't get how one can use for production websites without this. Especially if your run arbitrary containers from the docker registry. Or this not the suggested model anymore?
Do any other container projects support user namespaces? I'm curious about what the implementation would look like. Several things change when a user namespace is added to the mix, such as the container not being able to create new device nodes. Would it be possible for unprivileged users to create containers that had network access or is a daemon running as root still necessary?
I have heard of pflask. It's been a great resource for learning how containers really work, but I haven't been able to figure out how the user namespace stuff works. A container may have N users, root and a bunch of others, do they all needed to be mapped to users on the host? I just don't know how to manage it. Enlightenment appreciated.
pflask author here (I'm a bit surprised to see it mentioned here really).
To answer your question, no, you don't need to map all the users inside the container to users on the host.
pflask user namespace support is quite limited right now: with the --user option you tell pflask to map the outside user that is running pflask, to the inside user specified by the option. Let's say you run something like:
$ sudo pflask --user=some_user ...
Since you are running pflask as root (sudo ...), pflask will map the "root" user outside of the container to the "some_user" user inside the container.
The whole point of this feature was the possibility of running pflask as non-root, so you could map a normal user on the host to the root user inside the container and still be able to call mount() (although there are several limitations), so it's only possible to map one user right now, however it shouldn't be difficult to add another option to map additional users (feel free to open a GitHub issue if you need this).
Thanks! I've been writing my own container implementation for the GNU Guix project and your code has been a wonderful reference. Guix allows unprivileged package management, so I was hoping that my container tool could offer unprivileged containers via user namespaces.
We have implemented user namespace support in runC, which we announced today :) https://runc.io
Integration of user namespaces into the developer-facing tools is ongoing, but there is an design discussion to finish on how to best handling uid mapping without breaking shared volumes.
TLDR: if you want to customize your docker install to support user namespaces today, you should try runC.