>> anyway. is there a reason this is not enabled now? >> all the mainstream distros hae it enabled now Fedora, RHEL/CentOS 7, >> Ubuntu and Debian (at least on the backported kernel) > > I'd think about it, if the feature wasn't entirely useless. Despite the > lack of official documentation, I found a document that described how it > worked. After reading that document I concluded that the feature is a > huge potential security risk with no actual benefit. What security risk exactly? There was one that I know of, and it was fixed. > If you give me a valid use case for USER_NS, I might reconsider, but > every use case I can imagine is crushed by the limitations of the > implementation. The use case is that you don't need root access to start a container. I can run Firefox with a limited view to the filesystem for example, as a normal user. Or limited view to the network, for ex. just ipv4, just ipv6, just vpn. -- damjan
