You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This issue aims to list all the issues you might encounter because of the linux-hardened kernel, and potential workarounds, if any. I will try to keep it as up to date as possible, you can of course contribute.
For what it's worth I have to say it has been pretty stable for me over the past few months. I was expecting it to break things more often.
Unprivileged user namespaces
This is probably one of the most controversial feature of the Linux kernel.
It allows unprivileged users to create namespaces which allows them to perform root operations in a confined environment (by remapping user IDs). The thing is that this feature goes through code paths in the kernel that is usually only reachable by root, and that is not as much tested as regular "user code paths". Many security vulnerabilities have been discovered and exploited in the wild because of this feature. However it's been a while now since that feature was introduced, and it is now enabled by default on most mainstream distributions. Even in the regular ArchLinux kernel.
Containers engines (docker, podman, LXC, etc.) heavily depend on this feature, and because it is disabled in linux-hardened, rootless containers cannot work. You have to run containers as root.
So now it's your choice to make, are you fine sticking to root containers or do you wish to use rootless ones ? I made my mind, and decided to stick to root containers. But it could change.
If rootless containers are a must have for you, you can enable them using:
sudo sysctl -w kernel.unprivileged_userns_clone=1
If you want this change to be persistent, create a file in /etc/sysctl.d/.
This issue aims to list all the issues you might encounter because of the
linux-hardenedkernel, and potential workarounds, if any. I will try to keep it as up to date as possible, you can of course contribute.For what it's worth I have to say it has been pretty stable for me over the past few months. I was expecting it to break things more often.
Unprivileged user namespaces
This is probably one of the most controversial feature of the Linux kernel.
It allows unprivileged users to create namespaces which allows them to perform root operations in a confined environment (by remapping user IDs). The thing is that this feature goes through code paths in the kernel that is usually only reachable by root, and that is not as much tested as regular "user code paths". Many security vulnerabilities have been discovered and exploited in the wild because of this feature. However it's been a while now since that feature was introduced, and it is now enabled by default on most mainstream distributions. Even in the regular ArchLinux kernel.
Containers engines (docker, podman, LXC, etc.) heavily depend on this feature, and because it is disabled in
linux-hardened, rootless containers cannot work. You have to run containers as root.So now it's your choice to make, are you fine sticking to root containers or do you wish to use rootless ones ? I made my mind, and decided to stick to root containers. But it could change.
If rootless containers are a must have for you, you can enable them using:
If you want this change to be persistent, create a file in
/etc/sysctl.d/.References:
The text was updated successfully, but these errors were encountered: