> Typically this is because they are only useful for whole system containers, > rather than service or application containment. > > What services are you running that you want to be able to isolate this with?
I want a sandbox, which doen't allow to communicate between inside and outside. At least ipc namespace is useful for this kind of sandbox. > It can only do so by using systemd-nspawn, > which generally assumes that you are providing a separate rootfs too. I don't want to full system container. > Private users have another problem on top, > since there is no way to do a UID shift without modifying the filesystem, > so it is only really manageable for full system containers. You're right. I didn't think how to apply user namespace honestly. user namespace scenario will be very complicated. > I can't speak for whether they would be accepted, > but a compelling reason for why you need them may help. I'll write this on a reply mail to Lennart. please refer to. Best regards, Sungbae Yoo _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
