Re: [libvirt] [PATCH RFC] Don't use CLONE_NEWUSER for now

> This patch assumes that noone really needs the user namespaces > to be enabled. If that is wrong, then we can try a more > baroque patch where we create a file owned by a test userid with > 700 perms and, if we can't access it after setuid'ing to that > userid, then return 0. Otherwise, assume we are using an > older, 'harmless' user namespace implementation. > > Comments appreciated. Is it ok to do this? Given what you describe on the UserNamespaces wiki page I believe this is the right thing todo in libvirt. There's no compelling reason why we were setting this flag in the first place, other than the fact that it existed & was thought todo something.

ACK