Add user namespace support for systemd containers

[r10r]

Running containers with systemd as init system currently requires privileged:true to be set in the containers SecurityContext. The container will by default run in the user namespace of the host.

• https://github.com/Drachenfels-GmbH/crio-lxc/issues/13#issuecomment-778325968
• https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

Since process limits are set per user namespace, changing process limits in the container will affect the host.

https://systemd.io/CONTAINER_INTERFACE/#fully-unprivileged-container-payload

cri-o has added support for UID mappings (since TODO) in /etc/crio/crio.conf and sets them to the OCI runtime spec
LinuxIDMapping

# The UID mappings for the user namespace of each container. A range is
# specified in the form containerUID:HostUID:Size. Multiple ranges must be
# separated by comma.
uid_mappings = ""

# The GID mappings for the user namespace of each container. A range is
# specified in the form containerGID:HostGID:Size. Multiple ranges must be
# separated by comma.
gid_mappings = ""

crio-lxc in turn uses the mapping from the runtime spec to set lxc.idmap in the container config.

Currently I did not manage to get a plain lxc container running in user namespaces.
See lxc/lxc#3669

[r10r]

Some more information about user_namespaces and unprivileged containers

• man 7 user_namespaces
• Filesystem mounts in user namespaces - Christian Brauner
• RedHat Running systemd in a non-privileged container
• podman How to run systemd in a container