Hi guys!

I am currently trying Arch in a VM and I like it a lot. Wanted to try the hardened kernel all the time, but it has the problem of forbidding custom namespaces.

Tbh I dont even know what that is, but on arch, installing bubblewrap-suid fixes the flatpak problem.

I could not find such a package for Podman, which is used as backend (?) in Distrobox.

Is there a way to make Podman, Docker, Distrobox, Toolbox work on linux-hardened?

This is a big requirement for making a Fedora Atomic version using the hardened kernel, which sounds great, as they completely rely on these containers.

  • alt@lemmy.ml
    link
    fedilink
    arrow-up
    12
    ·
    1 year ago

    Basically, you want to not disable kernel.unprivileged_userns_clone.

    For a temporary solution that has to be redone after reboot, there is sysctl kernel.unprivileged_userns_clone=1.

    For a lasting solution, consider echo kernel.unprivileged_userns_clone=1 | sudo tee /etc/sysctl.d/99-enable-unpriv-userns.conf.

    In either case you're foregoing security for the sake of convenience/functionality, so I understand why you would rather not act upon either of them.

    I don't know what the solution is that would be analogous to installing bubblewrap-suid. Perhaps, it's worth exploring the projects found within the github page of Awesome Fedora Security for some pointers.