containers
README outdated for CentOS and Debian
The Readme says user namespaces are not available to unprivileged users in several production distributions such as CentOS/Red Hat Enterprise Linux 7, Debian Jessie, etc.
In CentOS 8 and Debian Buster, ls /proc/self/ns shows a user folder, which I think means user namespaces are available. Seems like the Readme should reflect that this has been changed in newer releases.
In Debian, user namespaces are still not available to unprivileged users. They are available, but you have to be root.
For Debian, that's because of this patch, which originated in Ubuntu (although they no longer use it): https://sources.debian.org/src/linux/4.19.98-1/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch/
Arch Linux's non-default "linux-hardened" kernel has the same patch, or a very similar one.
I don't know what CentOS does: they might have unrestricted user namespaces (like Fedora, Ubuntu, and Arch Linux's normal kernel), or they might have user namespaces that can only be created by root (like Debian and Arch Linux's linux-hardened), or they might have a different patch that restricts user namespaces some other way.
Sorry I missed that. As far as I can tell CentOS is unrestricted, could do a clone with CLONE_NEWUSER unprivileged.
As far as I can tell CentOS is unrestricted, could do a clone with CLONE_NEWUSER unprivileged.
Was it CentOS 8 that you were testing this in?
I don't use CentOS myself, but my understanding is that RHEL 7 and CentOS 7 limit the number of namespaces per unprivileged user to 0 by default, and need a higher limit set to enable this feature (https://www.redhat.com/en/blog/preview-running-containers-without-root-rhel-76). It seems plausible that RHEL 8 and CentOS 8 have lifted this restriction to behave like Fedora and Ubuntu instead.
Debian 10 has the behaviour I described above. The plan is that in Debian 11, creation of new user namespaces will be unrestricted by default, like Fedora and Ubuntu.