Description of problem: In RHEL 7.5, unprivileged namespaces are a technology preview feature enabled with the boot parameter namespace.unpriv_enable=1 plus setting the sysctl variable user.max_user_namespaces to a non-zero value. This works great for testing, and the Worldwide LHC Computing Grid (WLCG) community would very much like to begin using this feature in production. At least initially we would use it with the unprivileged mode of the open source tool singularity (which I now support in Fedora Core and EPEL), to avoid the security risk of setuid-root. We request that this feature be promoted to production support in a future 7.X release, hopefully 7.6. We understand that it will probably be in 8.X, but it will take years before all of our users will be able to upgrade to that. Version-Release number of selected component (if applicable): 3.10.0-862.3.3.el7 How reproducible: Very Steps to Reproduce: 1. Enable EPEL 7 with rpm -i https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm 2. yum install singularity 3. As an unprivileged user run singularity exec -u -H $HOME:/srv docker://centos:6 cat /etc/redhat-release Actual results: ERROR : Failed invoking the NEWUSER namespace runtime: Invalid argument Expected results: CentOS release 6.9 (Final) Additional info:
If someone could uncheck the "Private group" on this ticket or otherwise make the ticket be public, I would appreciate it.
Could anyone reading this ticket who has the power please uncheck "Private group".
(In reply to Dave Dykstra from comment #3) > Could anyone reading this ticket who has the power please uncheck "Private > group". Done, please take a look. Chao
There are several confirmations in a different ticket #1350553 that this will be fully supported in 7.6. Great! The other ticket is closed, but it is where I originally requested this feature. I suppose this one can now be closed too, and refer to the other ticket.
Closing as current release then.