On Thu, Mar 8, 2018 at 11:50 AM, Rich Freeman <ri...@gentoo.org> wrote: > If you have util-linux installed then try running (as any user - you > don't have to be root): > unshare -i -m -n -p -u -C -f --mount-proc -U -r /bin/bash >
Interesting. I hadn't found a good interface to containers and clone(2) besides Docker. Of course, I didn't look very hard. I half expect a "new" process model to develop around the kernel namespaces, as people realize GID separation only is too coarse. I still see some odd claims about container security, though: claiming containers are more secure than user accounts still seems odd to me, as if you don't trust the kernel to enforce user accounts, why trust it to enforce namespace separation?
