[arch-general] [arch-dev-public] linux 3.16 in [testing]
Daniel Micay
danielmicay at gmail.com
Wed Aug 13 19:18:48 EDT 2014
On 13/08/14 01:21 PM, Mihamina Rakotomandimby wrote:
> On 08/13/2014 08:09 PM, Leonid Isaev wrote:
>> As you know, user_ns is a necesary prerequisite for unpriviileged
>> containers:
>> https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/
>> . AFAIU,
>> currently only Ubuntu 14.04 supports those.
>>
>> However, I agree with you that CONFIG_USER_NS is better left disabled
>> in -ARCH
>> kernels. After all, people using containers should be able to compile
>> a custom
>> kernel...
>
> Hi all,
>
> One use case of using LXC might be to want to quicky have a virtual
> environment running.
>
> Easing the work by defaulting to a ready-to-work kernel would be nice.
>
> Regards.
Containers work fine without CONFIG_USER_NS. You just can't spawn them
without being a privileged user. There's a good reason for that, as
shown by the endless stream of local root exploits via user namespaces.
Having uid 0 or root equivalent capabilities in a container with or
without user namespaces is equivalent to root access on the host due to
flaws in the implementation. By removing the check for a privileged
user, upstream just guaranteed that sane distributions are not going to
enable the feature (at least without patching it, which isn't Arch's style).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20140813/5d65fa44/attachment.asc>
More information about the arch-general
mailing list