cpuguy83
commented
5 years ago Getting a feel for the kinds of things that are broken for user namespaces. Some upstream tests are just flat out wrong and do not work when userns is enabled because of incorrect assumptions.
Found that userns=host is also problematic because when userns is enabled, moby chown's all image files to the remapped root UID/GID... with userns=hsot the user in the container is real root, but the file ownership is the garbage UID/GID that's used for for the private userns.
To fix this we'll like need to use a fuse fs to map the filesystem ownership on demand (similar to the solution I came up with to handle host bind mounts).
User namepsaces is an important security feature that almost no one uses because it's really difficult to do. Just using user namespaces would have mitigated CVE-2019-5736, among others.
Making user namepsaces easier to use and even enabled by default will help the whole industry.
https://github.com/moby/moby/pull/38795