On Wed, Feb 01, 2017 at 02:45:46AM -0500, Daniel Micay wrote:
Application containers don't have a use for the user namespace quasi root and no one really needs the half baked uid/gid mapping feature. There's no real reason for stuff being done that way beyond desktop Linux having the disease of inability to do plumbing in userspace, but instead putting everything in the kernel simply to have it universally available rather than for technical reasons.
It would make sense to simply have a service spawning on-demand unpriv users from a range of uid/gid pairs. That's exactly how this works on Android for both apps and isolatedProcess services (they each get a unique uid/gid pair assigned), although they also layer SELinux and mount namespaces on top.
Cool :) thx for the explanation... Cheers, L. -- Leonid Isaev