Linux Security Summit

User Namespaces are an essential tool of container security because they allow apparently privileged (root) execution within a container, while the executing entity is really unprivileged as the host (linux kernel) sees it. Unfortunately, the current cost of using user namespaces is that filesystem writes have to be at the identity seen by the kernel (the unprivileged uid/gid) rather than by the identity the container thinks it has. This is all fine and dandy until we want to share images and archives (even simple tar archives) amongst containers. Having the filesystem identity be the same as the container identity is essential for this sharing and is currently broken. There are at least three mechanisms currently proposed for fixing this: shiftfs (by the author), userns portable roots and filesystem mappings. We'll discuss the pros and cons of each of these approaches.