On 2020-10-29, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > Christian Brauner <christian.brauner@xxxxxxxxxx> writes: > > > Hey everyone, > > > > I vanished for a little while to focus on this work here so sorry for > > not being available by mail for a while. > > > > Since quite a long time we have issues with sharing mounts between > > multiple unprivileged containers with different id mappings, sharing a > > rootfs between multiple containers with different id mappings, and also > > sharing regular directories and filesystems between users with different > > uids and gids. The latter use-cases have become even more important with > > the availability and adoption of systemd-homed (cf. [1]) to implement > > portable home directories. > > Can you walk us through the motivating use case? > > As of this year's LPC I had the distinct impression that the primary use > case for such a feature was due to the RLIMIT_NPROC problem where two > containers with the same users still wanted different uid mappings to > the disk because the users were conflicting with each other because of > the per user rlimits. > > Fixing rlimits is straight forward to implement, and easier to manage > for implementations and administrators. This is separate to the question of "isolated user namespaces" and managing different mappings between containers. This patchset is solving the same problem that shiftfs solved -- sharing a single directory tree between containers that have different ID mappings. rlimits (nor any of the other proposals we discussed at LPC) will help with this problem. -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
Attachment:
signature.asc
Description: PGP signature