I've been playing around with unprivileged user namespaces on Alpine
and decided to write a simple tool to make them feasible (without
installing LXC) on Alpine's hardened kernel.
I've just pushed it to GitHub:
It's essentially the same thing as "unshare --user", but the executable
has the file capabilities necessary to create user namespaces, and has
execution restricted to a "uuns" group. This provides an easy way for
the administrator to control permissions for creating unprivileged
namespaces; simply add users to the "uuns" group.
I'm interested in feedback. If this is something of interest to the
distribution, I'll try my hand at creating a package for it.
Received on Mon May 22 2017 - 14:07:41 UTC