On Tue, May 03, 2016 at 02:20:56PM -0400, James Bottomley wrote:
> Right at the moment, unprivileged users cannot call mount --bind to
> create a permanent copy of any of their namespaces. This is annoying
> because it means that for entry to long running containers you have to
> spawn an undying process and use nsenter via the /proc/<pid>/ns files.
Well, unshare is able to create permanent namespaces and the bind
mounts and nsenter is able to follow these files, but you need root
permissions to create this stuff.
touch /home/kzak/ns
sudo unshare --uts=/home/kzak/ns
<exit namespace>
sudo nsenter --uts=/home/kzak/ns
it means you really do not need any process in the namespace.
Not sure about unprivileged users, it always sounds like a game with
Pandora's box ;-)
Karel
--
Karel Zak <kzak@xxxxxxxxxx>
http://karelzak.blogspot.com
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers
