On Sun, 05 Feb 2023 at 21:23:18 +0100, Helmut Grohne wrote:
> What is needed to make this work? mmdebstrap --mode=unshare requires the
> following features:
> * unprivileged unsharing of user namespaces
>- This is prohibited on DSA machines via a sysctl
>- It works on most other systems
>
On Fri, 10 Feb 2023 at 12:58:50 +0100, Johannes Schauer Marin Rodrigues wrote:
> So the secret of
> bind-mounting proc in a privileged docker container is to use --rbind.
I assume this is because if you have "covered up" a sensitive or dangerous
part of /proc to stop processes inside the
Quoting Johannes Schauer Marin Rodrigues (2023-02-09 11:03:05)
> Quoting Helmut Grohne (2023-02-05 21:23:18)
> > * It must be possible to mount proc in the unshared user+mount+pid
> >namespace.
> >- This should always work but may be restricted by the container
> > technology for
Quoting Helmut Grohne (2023-02-05 21:23:18)
> * It must be possible to mount proc in the unshared user+mount+pid
>namespace.
>- This should always work but may be restricted by the container
> technology for some reason.
>- Test case: unshare -U -m -p -f -r --mount-proc true
>
Hi,
Quoting Helmut Grohne (2023-02-05 21:23:18)
> What packages would use this beyond mmdebstrap? I see at least chromium's
> sandbox using user namespaces for isolation (though with less required
> features). Adoption of user namespaces will probably grow.
there is also the autopkgtest of
Package: autopkgtest
Version: 5.28
Severity: wishlist
Control: affects -1 + src:mmdebstrap src:debvm
X-Debbugs-Cc: jo...@debian.org
Hi,
Paul asked me to take this to email and he's probably right. Johannes
Schauer repeatedly tried to test mmdebstrap --mode=unshare in
autopkgtests and reportedly
6 matches
Mail list logo