| 1 |
On Fri, Sep 22, 2017 at 5:18 PM, Rich Freeman <rich0@g.o> wrote: |
| 2 |
>On Fri, Sep 22, 2017 at 4:43 PM, James McMechan |
| 3 |
><james_mcmechan@×××××××.com> wrote: |
| 4 |
>> |
| 5 |
>> # now create a separate mount namespace non-persistent |
| 6 |
>> unshare -m bash |
| 7 |
>> |
| 8 |
> |
| 9 |
>If you're going to go to the trouble to set up a container, you might |
| 10 |
>as well add some more isolation: |
| 11 |
> |
| 12 |
>unshare --mount --net --pid --uts --cgroup --fork --ipc --mount-proc bash |
| 13 |
> |
| 14 |
>I'm not sure how much of a hassle mapping a uid namespace would be or |
| 15 |
>if it would really add anything, especially if this chroots to portage |
| 16 |
>right away. |
| 17 |
> |
| 18 |
>-- |
| 19 |
>Rich |
| 20 |
|
| 21 |
Well mostly it was an example, I am not actually very good at containers. |
| 22 |
the more stuff is isolated the more it needs to be setup. |
| 23 |
|
| 24 |
The mount namespace is the whole point of the example |
| 25 |
|
| 26 |
I would not want to change the networking, it should already be working |
| 27 |
and I would be better served by not messing with it. |
| 28 |
|
| 29 |
portage should not care about the --pid --uts(hostname/domainname) --cgroup or --ipc |
| 30 |
|
| 31 |
The --mount-proc is not really helpful as I immediately remount the entire |
| 32 |
"/" filesystem at /mnt/gentoo and chroot into it after custom setup of proc sys and dev |
| 33 |
|
| 34 |
Now I could see a use for --map-root-user --user, then portage could run as |
| 35 |
root in the container with the least danger by being user portage:portage outside. |
| 36 |
|
| 37 |
Enjoy |
| 38 |
|
| 39 |
Jim McMechan |
Archives