10 comments

[ 2.6 ms ] story [ 48.3 ms ] thread
I don't understand this point:

  - Fully userspace containers, no need for elevated privileges
The most basic Linux container is constructed with chroot and namespaces, both of which require root privileges (or at least CAP_SYS_CHROOT and CAP_SYS_ADMIN respectively). Additionally managing layers with a union filesystem, unless utilising FUSE, will also require elevated privileges.
It can have root inside the new user namespace, which - i assume - is sufficient to chroot in its mount namespace.
A more extensive look at the code, it requires the host root user to set `kernel.unprivileged_userns_clone=1` after which Vagga can perform privileged operations as a "root" user inside a user namespace.
Yes. But that's on debian (IIRC) kernel, i.e. the patched one. On stock kernel it requires CONFIG_USER_NS setting enabled, and it just works.
I just had a brief look at the tutorial, but it looks great! Kudos to the author!
Excellent avoidance of elevated privileges with CONFIG_USER_NS and it's easy to deploy. Great stuff!
..and it's implemented in Rust, w00t!
I wonder where they get their Rust musl static releases from? As you cannot bootstrap 1.7 with 1.6 you always need to use the officially tagged nightly snapshot for the particular release when building rust, which happens to be for glibc. So it's a pita to build and use rust with musl, unless it's part of the official release channels already.