bind mounting namespace inodes for unprivileged users

Karel Zak kzak at redhat.com
Wed May 4 08:44:03 UTC 2016


On Tue, May 03, 2016 at 02:20:56PM -0400, James Bottomley wrote:
> Right at the moment, unprivileged users cannot call mount --bind to
> create a permanent copy of any of their namespaces.  This is annoying
> because it means that for entry to long running containers you have to
> spawn an undying process and use nsenter via the /proc/<pid>/ns files.

Well, unshare is able to create permanent namespaces and the bind
mounts and nsenter is able to follow these files, but you need root
permissions to create this stuff.

 touch /home/kzak/ns
 sudo unshare --uts=/home/kzak/ns
 <exit namespace>

 sudo nsenter --uts=/home/kzak/ns

it means you really do not need any process in the namespace.


Not sure about unprivileged users, it always sounds like a game with
Pandora's box ;-)

    Karel


-- 
 Karel Zak  <kzak at redhat.com>
 http://karelzak.blogspot.com


More information about the Containers mailing list