| 1 |
On Thu, Mar 8, 2018 at 11:50 AM, Rich Freeman <rich0@g.o> wrote: |
| 2 |
> If you have util-linux installed then try running (as any user - you |
| 3 |
> don't have to be root): |
| 4 |
> unshare -i -m -n -p -u -C -f --mount-proc -U -r /bin/bash |
| 5 |
> |
| 6 |
|
| 7 |
Interesting. I hadn't found a good interface to containers and |
| 8 |
clone(2) besides Docker. Of course, I didn't look very hard. I half |
| 9 |
expect a "new" process model to develop around the kernel namespaces, |
| 10 |
as people realize GID separation only is too coarse. |
| 11 |
|
| 12 |
I still see some odd claims about container security, though: claiming |
| 13 |
containers are more secure than user accounts still seems odd to me, |
| 14 |
as if you don't trust the kernel to enforce user accounts, why trust |
| 15 |
it to enforce namespace separation? |
Archives