Closed justincormack closed 8 years ago
Hmmm ya that was kinda a Jess "feature" but open to removing it
On Wednesday, July 13, 2016, Justin Cormack notifications@github.com wrote:
riddler seems to always output userns mappings, even though I don't have user namespaces enabled right now.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jfrazelle/riddler/issues/7, or mute the thread https://github.com/notifications/unsubscribe/ABYNbBy3VdVTCzfpsfuUG8R82beqmg0cks5qVSVZgaJpZM4JLrSn .
Jessie Frazelle 4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3 pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3
but of course! :) ok, more seriously--you mean you are running a kernel w/no userns support?
now that there are flags for idlen/idroot, could possibly use their "unset" state as a way to determine not to configure userns?
No, I have support, actually I was getting some other issues and noticed (permission denied creating device nodes from containerd, which was odd).
(I just assumed it would copy my docker state, which happens to be running without userns)
Maybe I love riddler because it believed in a future state where everyone loved user namespaces =)
But, yes, after copying the docker state, in the case of userns it was being setup by default irregardless of Docker daemon config; and definitely mknod
will fail for user namespace'd processes (not related to Docker/containerd/runc)
completely unprivileged containers running as a non root user are strictly more secure than user namespaces!
@estesp BTW see you in London next week!
@justincormack great! now I have to really prepare if the experts are going to show up :)
riddler seems to always output userns mappings, even though I don't have user namespaces enabled right now. Then I cannot run the config as it complains about this...