Hi, A few of us have been prototyping out in the background a new tool: https://github.com/projectatomic/bubblewrap
It came out of the situation that: - User namespaces (CLONE_NEWNS) are currently disabled for unprivileged users e.g. CentOS 7 and Red Hat Enterprise Linux 7 - The desktop wants unprivileged (but secure) container access, and we also want it for several server side use cases, such as build systems. I definitely want it by default for rpm-ostree. Now because we're not very good at these things, it was imported into projectatomic/ without public discussion, but better late then never! An most notably, it's already been covered in LWN: https://lwn.net/Articles/685374/ Currently it is not part of a product and has not has a rigorous review from a security team. However, I believe our approach is good, and if anyone wants a peer-reviewed setuid binary for container features, it's worth considering bubblewrap! It builds on CentOS 7 today, and is already part of our gitoverlay builds: https://github.com/cgwalters/continuous-atomic-overlay/commit/daeaae466a719e3a4285659a1124030c00454262 https://ci.centos.org/job/atomic-rdgo-centos7/
