logo

What's New in the User Namespace

2022-09-16

Authors:   Stephane Graber, Christian Brauner


Abstract

The user namespace has grown a lot since its introduction some 9 years ago. However, it is still very far from ubiquitous, even in the modern container space. In this talk, we'll be exploring the current state of things and delve into some of the exciting developments that have recently landed or will be landing very soon. This will cover the very exciting work done on the new VFS API and VFS idmap shifting, now making it very easy to setup containers without having to first mangle their root filesystem. More importantly, also allowing containers relying on shared filesystem layers to be easily run unprivileged. On the security front, we'll be covering the work to better mediate the use of the user namespace, allowing LSMs to decide who can or cannot create a user namespace. As well as the recent addition of IMA namespacing now makes it possible to have an entire system measured and checked, containers included. We'll wrap things up looking ahead for any other major blocker to the adoption of user namespace and the deprecation of much less safe container options.

Materials: