I don't understand this point:

  - Fully userspace containers, no need for elevated privileges

The most basic Linux container is constructed with chroot and namespaces, both of which require root privileges (or at least CAP_SYS_CHROOT and CAP_SYS_ADMIN respectively). Additionally managing layers with a union filesystem, unless utilising FUSE, will also require elevated privileges.

A more extensive look at the code, it requires the host root user to set `kernel.unprivileged_userns_clone=1` after which Vagga can perform privileged operations as a "root" user inside a user namespace.

Yes. But that's on debian (IIRC) kernel, i.e. the patched one. On stock kernel it requires CONFIG_USER_NS setting enabled, and it just works.

It can have root inside the new user namespace, which - i assume - is sufficient to chroot in its mount namespace.

Excellent avoidance of elevated privileges with CONFIG_USER_NS and it's easy to deploy. Great stuff!

I just had a brief look at the tutorial, but it looks great! Kudos to the author!

..and it's implemented in Rust, w00t!

I wonder where they get their Rust musl static releases from? As you cannot bootstrap 1.7 with 1.6 you always need to use the officially tagged nightly snapshot for the particular release when building rust, which happens to be for glibc. So it's a pita to build and use rust with musl, unless it's part of the official release channels already.

vagga is built by vagga itself, so you can look at how to make musl rust here: https://github.com/tailhook/vagga/blob/master/vagga.yaml#L23...

There is already a musl libc distributed with rust since 1.5: http://static.rust-lang.org/dist/index.html http://static.rust-lang.org/dist/rust-std-1.6.0-x86_64-unkno...

But we had not used it yet.

Hey look , jails on Linux .