[reposting - sorry I forgot to Cc the mailing list]
Post by Vasiliy Tolstov
Does it possible to create container as regular user? Oh what capabilities i
need to add to create container not using root?
Manual page namespaces(7):
Creation of new namespaces using clone(2) and unshare(2) in most cases
requires the CAP_SYS_ADMIN capability. User namespaces are the
exception: since Linux 3.8, no privilege is required to create a user
systemd-nspawn uses: src/nspawn/nspawn.c:
pid = raw_clone(SIGCHLD|CLONE_NEWNS|
(arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)|
(arg_private_network ? CLONE_NEWNET : 0), NULL);
So you need to have CAP_SYS_ADMIN to use systemd-nspawn.
If you want to try user namespaces, it is something that is still
moving... Manual page user_namespaces(7):
Starting in Linux 3.8, unprivileged processes can create
user namespaces, and mount, PID, IPC, network, and UTS
namespaces can be created with just the CAP_SYS_ADMIN
capability in the caller's user namespace.
But it is not true in most Linux distributions as they disable
unprivileged user namespaces and require CAP_SYS_ADMIN anyway. See for
and: echo 1 > /proc/sys/kernel/unprivileged_userns_clone
Additionally, the program userns_child_exec.c included in manual page
namespaces(7) does not work as is yet because since the changes
introduced by CVE-2014-8989, it needs to adjust /proc/pid/setgroups.