[Kabbone]

Hi,

is there any reason why we omit "CONFIG_USER_NS_UNPRIVILEGED=y" in our aarch64 kernel config? This way it's not possible to use unprivileged containers with users inside. I just recognized when I wanted to use some systemd-nspawn containers and everything got mapped to the unpriviliged root UID.
Right now I'm compiling a kernel same to the repository, just with this option enabled for testing.

If it works, it would be nice to add it to our default config.

EDIT: ok, that was a bit of bs what was in my head. After a bit of more researching I found that the CONFIG_USER_NS_UNPRIVILEGED isn't mainline and only should give you a possibility to control userns.
Nevertheless this should mean that the containers should work as designed, but I still got the problem that no other IDs then the in the user namespace mapped root UID exists inside my container. Anyone else experiencing this behaviour? At an archlinux desktop machine it works just fine.

EDIT2: after a bit testing, it comes down to the use of root per NFS. But at the moment the only solution I could think of is to map the root user in the container to an user ID existing in the LDAP. But the Subject is not really accurate anymore because it has nothing to do with the kernel config itself.

EDIT3: Just for information if someone will stumble over this. There are two easy solutions, either using nbd or mounting a local image per loop.