[EMAIL PROTECTED] (Rik van Riel) writes: > - unbreakable chroot > --> filesystem namespaces, CLONE_NS, recursive bind mount > (already in 2.4 and 2.6 kernels, needs userspace helper)
Unfortunately, CAP_SYS_ADMIN capabilities are required for CLONE_NEWNS. So, vservers within vservers will be impossible with this method. Another problem is that 'vserver XXX enter' can not be used anymore. Or does there exist a way to enter the namespace of foreign processes? Doing the mounts on every 'enter' seems to be expensive on the first glance. Enrico
