However, the child process still has a lot of initialization steps left.
This can result in a difficult to diagnose concurrency bugs. I experienced this then trying to write to the /proc/sys/user/max_* files. When you acquire a user namespace file descriptor from a child PID it can either be the direct child user namespace or a child user namespace with a intermediate parent depending on how far in to initialization the child is. (when using --dev option)
At least this concurrency should be documented in man page.
The bwrap main process will write the the JSON in to those options as soon as it forks:
https://github.com/containers/bubblewrap/blob/8e51677abd7e3338e4952370bf7d902e37d8cbb6/bubblewrap.c#L2922
However, the child process still has a lot of initialization steps left.
This can result in a difficult to diagnose concurrency bugs. I experienced this then trying to write to the
/proc/sys/user/max_*files. When you acquire a user namespace file descriptor from a child PID it can either be the direct child user namespace or a child user namespace with a intermediate parent depending on how far in to initialization the child is. (when using--devoption)At least this concurrency should be documented in man page.