-
Feature
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
BU Product Work
-
False
-
-
False
-
50% To Do, 0% In Progress, 50% Done
-
0
-
Program Call
Background
Currently the way docker and most other container runtimes work is by masking|
and setting as read-only certain paths in `/proc`. This is to prevent data|
from being exposed into a container that should not be. However, there are|
certain use-cases where it is necessary to turn this off.
Motivation
For end-users who would like to run unprivileged containers using user namespaces
nested inside CRI containers, we need an option to have a `ProcMount`. That is,
we need an option to designate explicitly turn off masking and setting
read-only of paths so that we can
mount `/proc` in the nested container as an unprivileged user.
- depends on
-
RFE-3254 Support User Namespaces
- Accepted
- is blocked by
-
OCPSTRAT-207 TP in 4.17 : Support User Namespaces in pods
- Closed
- relates to
-
RFE-4517 Add Support for Nested Containers in DevSpaces
- Accepted