Received: from mail-il1-f194.google.com (mail-il1-f194.google.com [209.85.166.194])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 154E3781A02
	for <~alpine/users@lists.alpinelinux.org>; Mon, 29 Jun 2020 17:27:31 +0000 (UTC)
Received: by mail-il1-f194.google.com with SMTP id r12so7964036ilh.4
        for <~alpine/users@lists.alpinelinux.org>; Mon, 29 Jun 2020 10:27:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=BOEFB1+KCIqIOhsFLSC9Qgc170vriB4KPTxGQ4HQRtk=;
        b=WcKnk4Qb1Ye24ohyMo1nRPSvuRmSk1vUhNJZZXa/8+xloVhvaEUFDVqUxDiUSkjYnM
         OhIFVL+bsP9GadYEyHDf64zVBR6i3oB8rxlFWvZ6QK68Va4UFKvoXsisjb5aOdxXKAAg
         RYtdShgUoliNH+lisyC6O7/7+4/JQjnoZUEpnrPrp6lhUjU9Pot8M4pD6S5jqwbmfNVi
         8LruMKa6HTZ4EjdCYzX1sZrqmCUHMY7sqtp5VTm8nHvWrj1hqIGbWNVzkveUyM9lWvUQ
         wfAEor/AKenDaTZbkJwgVOqSi9rOO4pLNc7BBjFO2rqi3dMzU1LDUFRRCCZeN79nQYWx
         K+8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=BOEFB1+KCIqIOhsFLSC9Qgc170vriB4KPTxGQ4HQRtk=;
        b=mPDDg1B9CT+ZMGTyVRxF94mjUOq8lYcg5dQg5Cl56UwfdxnZ2NPaLbkloYoHgaFu7w
         0q0evLt9nhXMqxUOHCOsihvtk62mxp235rnGvJiPNySDTGQKC6g1lHwPdleF/bUBEatb
         4T9a57gWk5kzun5YoWc596fm0jYrGhJ2hZ+jmiBD6sDZ4D+EosCKqTXw3orwDjKB1z5y
         nRndGEWw4tSL6vi5xMRAhMP+lvm9wJU1XcJnfNuM+Mkwp7lZdGa6rZmz8lB4aiazMZNI
         rFXbecTxsQi4o+rxZ9BR07jIWx4y3UWGI511DqPlXt3h44T16EBZciAuTQrqgcw7e5y4
         wxkQ==
X-Gm-Message-State: AOAM533Wh68PpqWdvXRL0WmyegyH9QpdVxIFI19BZZVUo49TZPC8RCUK
	q5+SsyU/TiK/8SZ89Al1HlHuWP/8Q/O7/ntNs0Y=
X-Google-Smtp-Source: ABdhPJyElC9opLE/ql2jjJXiMSH3rN63BNfbih+qF0fNI2nuHnDybYuSgp4x5dBIZTAM/SZ0UVFsFYX9T8pJptNMf+w=
X-Received: by 2002:a92:1946:: with SMTP id e6mr17760176ilm.170.1593451649658;
 Mon, 29 Jun 2020 10:27:29 -0700 (PDT)
MIME-Version: 1.0
References: <B623F07E-FD90-4D6B-B7A7-0B796019CF2C@extremeshok.com>
 <CAPxz1+YSaMQm4LWjn8mChpFbUfeDKFdaUrL1UrkqTTqEdj7LfQ@mail.gmail.com> <17daba0fa895aca68c6046b69a959723@c3f.net>
In-Reply-To: <17daba0fa895aca68c6046b69a959723@c3f.net>
From: Parke <parke.nexus@gmail.com>
Date: Mon, 29 Jun 2020 10:26:53 -0700
Message-ID: <CAPxz1+a+E3ZjTqKcLTxq8b6_X792kebCMV6zEwtqR+38A9_MCg@mail.gmail.com>
Subject: Re: Running Alpine's userland in a Linux user namespace via lxroot
To: j3s@c3f.net
Cc: ~alpine/users@lists.alpinelinux.org
Content-Type: text/plain; charset="UTF-8"

On Mon, Jun 29, 2020 at 9:45 AM <j3s@c3f.net> wrote:
> Docker just uses cgroups for isolation - same thing [lxroot] use[s],

I believe namespaces are distinct from cgroups (but I could be wrong).

From https://en.wikipedia.org/wiki/Cgroups#Namespace_isolation :
"While not technically part of the cgroups work, a related feature of
the Linux kernel is namespace isolation ..."

lxroot uses user namespaces, specifically:
the mount namespace
the network namespace
the process namespace
the user namespace

According to the above Wikipedia link, there is a "Cgroup namespace",
but I believe lxroot does not use the Cgroup namespace.

----

Another nifty consequence of lxroot's design is that you can lxroot
into '/' (the root directory itself), while at the same time doing
bind mounts and possibly mapping the uid and gid to zero, or dropping
network access.  This allows you to run software in an "altered
version" of the host OS itself.  (This might be somewhat similar to
firejail.  But, as with Docker, I have never used firejail.)