Just curious, I tried this as my user account on Fedora 34 and do not see any mount points. I assume this is does't work because the root overlay is not enabled by default?

fatherlinux $ podman run -id ubi8 bash

fatherlinux $ mount -t overlay

Thoughts?

Best Regards

Scott M

On Mon, Sep 6, 2021 at 3:56 PM Giuseppe Scrivano <gscrivan@redhat.com> wrote:

Jorge Fábregas <jorge.fabregas@gmail.com> writes:

> On 9/6/21 11:34 AM, Giuseppe Scrivano wrote:
>> exactly. root can create mounts directly in the current mount namespace
>> so it doesn't need to create a new one owned by a different user
>> namespace.
>
> Ok, I see this now. Forgot the part that regular users can't create new
> mount points. I was mainly concentrating in the "isolation" aspect of a
> new mount namespace.
>
> Wouldn't new mount namespace for rootful containers provide an extra
> isolation?

for rootless it is more of a necessity than for extra security.

In the new mount namespace it is still possible to access all the
existing mount points from the host.

For root, it could make sense to have a separate mount namespace so that
the mount points won't be visible from the host. This setup is not
currently supported, you'd need to create it manually.

Giuseppe
_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io

--

18 ways to differentiate open source products from upstream suppliers: https://opensource.com/article/21/2/differentiating-products-upstream-suppliers 
--

Scott McCarty
Product Management - Containers, Red Hat Enterprise Linux & OpenShift
Email: smccarty@redhat.com
Phone: 312-660-3535
Cell: 330-807-1043
Web: http://crunchtools.com