we should run img within userns with subuid/subgid (especially for apt)

[AkihiroSuda]

This branch allows containers to use subuid/subgid (i.e. apt update works): https://github.com/jessfraz/img/compare/master...AkihiroSuda:allow-subuidgid.20180227?expand=1

However, img itself cannot "commit" the cache due to EPERM, as img
itself does not have access to files owned by its subusers (_apt).

  solving failed: failed to commit rt3w4yqk2tkibexmj15dtavb8: open /tmp/img/runc/naive/snapshots/snapshots/5/var/lib/apt/lists/partial: permission denied

So I suggest running img itself in userns with newuidmap/newgidmap.
(probably via reexec for better UX)

If we can run img itself in userns, we can also:

• remove "mountless" code, which is not highly likely to be merged to upstream containerd/buildkit, and allow using Ubuntu-patched overlayfs again.
• create netns (with SUID lxc-user-net or slirp) for better isolation, especially for
  prohibiting containers from accessing "abstract" sockets on the host.

[jessfraz]

Yeah totally, sorry I just did the mountless temporarily so people didn’t have to unshare and do the whole song and dance to try it :)

I Will do a patch to do an unshare in the constructor or reexec

[jessfraz]

All my decisions are bad hahaha

I’ll ping you on PRs from here out, and remove the mountless :)

[jessfraz]

I keep hitting this opencontainers/runc#1658 regardless of userns or non userns and I'm just wondering if this is because of Dockers masked paths or read only paths although I tried removing those and it still didn't work. It's super odd to me

[AkihiroSuda]

Closing, as this proposal was implemented in v0.3.1/v0.3.2. (thanks!)