On the subject of namespaces: I still need to look at providing a key ID and keyring name namespace. Is it worth me just using the user_namespace? A number of parameters are per-UID (such as the key quotas), so it might very well make sense to do that. That way, user_namespace could actually be a credentials namespace. If that is the case, CLONE_NEWUSER should also set up (clone?) the keys and keyrings attached to the parent. This possibly needs to be done anyway as the keys have UID and GID references that may be invalid in the new namespace. How do the UIDs and GIDs in different namespaces map, anyway? Furthermore, some keys may actually represent foreign user details; perhaps NTFS or CIFS user IDs for example. Should those be discarded on CLONE_NEWUSER? David _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers