On Wed, 2016-05-04 at 10:44 +0200, Karel Zak wrote: > On Tue, May 03, 2016 at 02:20:56PM -0400, James Bottomley wrote: > > Right at the moment, unprivileged users cannot call mount --bind to > > create a permanent copy of any of their namespaces. This is > > annoying > > because it means that for entry to long running containers you have > > to > > spawn an undying process and use nsenter via the /proc/<pid>/ns > > files. > > Well, unshare is able to create permanent namespaces and the bind > mounts and nsenter is able to follow these files, but you need root > permissions to create this stuff. > > touch /home/kzak/ns > sudo unshare --uts=/home/kzak/ns > <exit namespace> > > sudo nsenter --uts=/home/kzak/ns > > it means you really do not need any process in the namespace. Yes, I do this when I'm root. > Not sure about unprivileged users, it always sounds like a game with > Pandora's box ;-) But that's currently my specific problem: binding a container when I'm an unprivileged user. I was thinking of persuading mount to do it, but unshare could as well, provided it's setuid root. I'm leery of proliferating setuid root binaries, which is why I was looking at mount, but I could easily (more easily than mount) make unshare do it if that's preferred. James _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
