On Thu May 16, 2024 at 10:31 PM EEST, Jarkko Sakkinen wrote: > On Thu May 16, 2024 at 10:29 PM EEST, Jarkko Sakkinen wrote: > > On Thu May 16, 2024 at 10:07 PM EEST, Casey Schaufler wrote: > > > I suggest that adding a capability set for user namespaces is a bad idea: > > > - It is in no way obvious what problem it solves > > > - It is not obvious how it solves any problem > > > - The capability mechanism has not been popular, and relying on a > > > community (e.g. container developers) to embrace it based on this > > > enhancement is a recipe for failure > > > - Capabilities are already more complicated than modern developers > > > want to deal with. Adding another, special purpose set, is going > > > to make them even more difficult to use. > > > > What Inh, Prm, Eff, Bnd and Amb is not dead obvious to you? ;-) > > One UNs cannot hurt... > > > > I'm not following containers that much but didn't seccomp profiles > > supposed to be the silver bullet? > > Also, I think Kata Containers style way of doing containers is pretty > solid. I've heard that some video streaming service at least in recent > past did launch VM per stream so it's not like VM's cannot be made to > scale I guess. Sorry for multiple responses but this actually nails the key question: who will use this? Even if this would work out somehow, is there someone who will actually use this, and not few other more robust solutions available? I mean it is worth of time to maintain it, if there is no potential users for a feature. In addition to "show me the code", there is always also "show me the payload". BR, Jarkko
