[arch-general] user namespaces
Leonid Isaev
leonid.isaev at jila.colorado.edu
Wed Feb 1 08:14:41 UTC 2017
On Wed, Feb 01, 2017 at 02:45:46AM -0500, Daniel Micay wrote:
> Application containers don't have a use for the user namespace quasi
> root and no one really needs the half baked uid/gid mapping feature.
> There's no real reason for stuff being done that way beyond desktop
> Linux having the disease of inability to do plumbing in userspace, but
> instead putting everything in the kernel simply to have it universally
> available rather than for technical reasons.
>
> It would make sense to simply have a service spawning on-demand unpriv
> users from a range of uid/gid pairs. That's exactly how this works on
> Android for both apps and isolatedProcess services (they each get a
> unique uid/gid pair assigned), although they also layer SELinux and
> mount namespaces on top.
Cool :) thx for the explanation...
Cheers,
L.
--
Leonid Isaev
More information about the arch-general
mailing list