bind mounting namespace inodes for unprivileged users
kzak at redhat.com
Wed May 4 08:44:03 UTC 2016
On Tue, May 03, 2016 at 02:20:56PM -0400, James Bottomley wrote:
> Right at the moment, unprivileged users cannot call mount --bind to
> create a permanent copy of any of their namespaces. This is annoying
> because it means that for entry to long running containers you have to
> spawn an undying process and use nsenter via the /proc/<pid>/ns files.
Well, unshare is able to create permanent namespaces and the bind
mounts and nsenter is able to follow these files, but you need root
permissions to create this stuff.
sudo unshare --uts=/home/kzak/ns
sudo nsenter --uts=/home/kzak/ns
it means you really do not need any process in the namespace.
Not sure about unprivileged users, it always sounds like a game with
Pandora's box ;-)
Karel Zak <kzak at redhat.com>
More information about the Containers