[davexunit]

I have heard of pflask. It's been a great resource for learning how containers really work, but I haven't been able to figure out how the user namespace stuff works. A container may have N users, root and a bunch of others, do they all needed to be mapped to users on the host? I just don't know how to manage it. Enlightenment appreciated.

[ghedo]

pflask author here (I'm a bit surprised to see it mentioned here really).

To answer your question, no, you don't need to map all the users inside the container to users on the host.

pflask user namespace support is quite limited right now: with the --user option you tell pflask to map the outside user that is running pflask, to the inside user specified by the option. Let's say you run something like:

    $ sudo pflask --user=some_user ...

Since you are running pflask as root (sudo ...), pflask will map the "root" user outside of the container to the "some_user" user inside the container.

The whole point of this feature was the possibility of running pflask as non-root, so you could map a normal user on the host to the root user inside the container and still be able to call mount() (although there are several limitations), so it's only possible to map one user right now, however it shouldn't be difficult to add another option to map additional users (feel free to open a GitHub issue if you need this).

[davexunit]

Thanks! I've been writing my own container implementation for the GNU Guix project and your code has been a wonderful reference. Guix allows unprivileged package management, so I was hoping that my container tool could offer unprivileged containers via user namespaces.