Hacker News new | ask | show | jobs
by davexunit 4022 days ago
Do any other container projects support user namespaces? I'm curious about what the implementation would look like. Several things change when a user namespace is added to the mix, such as the container not being able to create new device nodes. Would it be possible for unprivileged users to create containers that had network access or is a daemon running as root still necessary?
1 comments
wmf 4022 days ago
pflask (which I don't think anyone has heard of) and the latest version of nspawn.
link
davexunit 4022 days ago
I have heard of pflask. It's been a great resource for learning how containers really work, but I haven't been able to figure out how the user namespace stuff works. A container may have N users, root and a bunch of others, do they all needed to be mapped to users on the host? I just don't know how to manage it. Enlightenment appreciated.
link
ghedo 4022 days ago
pflask author here (I'm a bit surprised to see it mentioned here really).

To answer your question, no, you don't need to map all the users inside the container to users on the host.

pflask user namespace support is quite limited right now: with the --user option you tell pflask to map the outside user that is running pflask, to the inside user specified by the option. Let's say you run something like:

    $ sudo pflask --user=some_user ...
Since you are running pflask as root (sudo ...), pflask will map the "root" user outside of the container to the "some_user" user inside the container.

The whole point of this feature was the possibility of running pflask as non-root, so you could map a normal user on the host to the root user inside the container and still be able to call mount() (although there are several limitations), so it's only possible to map one user right now, however it shouldn't be difficult to add another option to map additional users (feel free to open a GitHub issue if you need this).

link
davexunit 4022 days ago
Thanks! I've been writing my own container implementation for the GNU Guix project and your code has been a wonderful reference. Guix allows unprivileged package management, so I was hoping that my container tool could offer unprivileged containers via user namespaces.
link