[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#913880: ITP: overlay-userns -- Overlay mounting in user namespaces (DKMS)

Package: wnpp
Severity: wishlist
Owner: Nicolas Schier <nicolas@fjasle.eu>

* Package name    : overlay-userns
  Version         : 0.4
  Upstream Author : Nicolas Schier <nicolas@fjasle.eu>
* URL             : https://rocketgit.com/user/nicolas/overlay-userns-dkms
* License         : GPL
  Programming Lang: C
  Description     : Overlay mounting in user namespaces (DKMS)

This DKMS package enables overlay file system mounts within user
namespaces.  Please be aware that this induces a security risk and thus
cannot be recommended in general.

Overlay file system is considered to be a security risk when it would be
allowed to be used within user namespaces.  The utilisation of
unprivileged Linux containers in combination with overlay-based
snapshotting is thus not possible by default.

The 'lxc' provides unpriviledged LXC snapshot support by using overlay
within user namespaces, which is currently only enabled in Ubuntu Linux
kernels.  When unpriviledged overlay LXCs are required on Debian
systems, this package provides an alternative to a manually patched and
built Linux kernel.

Personally, I use that DKMS module at work, as I have to stick to
unpriviledged LXCs but still would like to run a Debian kernel rather
than a manually patched and updated one.  I know that patching the
runtime kernel is quite dirty, and I am expecting that this technique is
not possible in the far future, but right now (and since the last two
years) it worked quite fine on a few machines.

As I am not an official Debian Maintainer, I do need a sponsor for the

I am going to push the Debian stuff into a personal salsa repository
(nsc-guest/overlay-userns); iff the package gets sponsored, moving to an
official Debian salsa repo would be great.

Kind regards,

Reply to: