Any container runtime which operates in a totally unprivileged mode and requires UID/GIDs outside the scope of the host OS will require some provisioning at the host OS level.
In the past, I believe the mnt namespace defaults have been sufficient for my needs, but it would be good to understand the defaults and ensure they are suitable, also documented here: https://docs.kernel.org/admin-guide/sysctl/user.html
@reidpr can you think of any other host system dependencies that a base operating system should provision to ensure the proper execution of an arbitrary unprivileged container?
Any container runtime which operates in a totally unprivileged mode and requires UID/GIDs outside the scope of the host OS will require some provisioning at the host OS level.
The documentation for user namespace cloning is here: https://man7.org/linux/man-pages/man7/user_namespaces.7.html
In the past, for Debian and Centos distributions, I have achieved this through setting MAX_USER_NAMESPACES to a large number: https://docs.kernel.org/admin-guide/sysctl/user.html.
In the past, I believe the mnt namespace defaults have been sufficient for my needs, but it would be good to understand the defaults and ensure they are suitable, also documented here: https://docs.kernel.org/admin-guide/sysctl/user.html
@reidpr can you think of any other host system dependencies that a base operating system should provision to ensure the proper execution of an arbitrary unprivileged container?