On Fri, Sep 22, 2017 at 5:18 PM, Rich Freeman <ri...@gentoo.org> wrote: >On Fri, Sep 22, 2017 at 4:43 PM, James McMechan ><james_mcmec...@hotmail.com> wrote: >> >> # now create a separate mount namespace non-persistent >> unshare -m bash >> > >If you're going to go to the trouble to set up a container, you might >as well add some more isolation: > >unshare --mount --net --pid --uts --cgroup --fork --ipc --mount-proc bash > >I'm not sure how much of a hassle mapping a uid namespace would be or >if it would really add anything, especially if this chroots to portage >right away. > >-- >Rich
Well mostly it was an example, I am not actually very good at containers. the more stuff is isolated the more it needs to be setup. The mount namespace is the whole point of the example I would not want to change the networking, it should already be working and I would be better served by not messing with it. portage should not care about the --pid --uts(hostname/domainname) --cgroup or --ipc The --mount-proc is not really helpful as I immediately remount the entire "/" filesystem at /mnt/gentoo and chroot into it after custom setup of proc sys and dev Now I could see a use for --map-root-user --user, then portage could run as root in the container with the least danger by being user portage:portage outside. Enjoy Jim McMechan
