Jan Pazdziora

Thank you @rata for showing that example Pod, that certainly helps. I changed it a bit to say ``` args: ["-c", "set -x ; id ; cat /proc/self/uid_map ; mount...

> Re 2: I don't understand what you see _exactly_ when you say "the logic breaks again". Can you paste output verbatim? Ah, sorry for not being precise. With just...

> yes this is expected, as the feature is still in alpha and openshift doesn't enable alpha features Do we know the timeline for the feature getting out of Alpha...

> when you use privilege it's actually getting the cgroup mount of the host, rather than of the container. for instance, the first container that just has SYS_ADMIN, that's actually...

I admit I'm not fluent in what are all the things that the privileged container does differently and if we should be able to emulate / configure things accordingly. The...

@dgl. Thanks. I have made some progress on the non-privileged front but I would like to understand the privileged situation as well, so I try to come up with the...

I've added this to the script, rebuilt and pushed the image. I can see ``` + id uid=0(root) gid=0(root) groups=0(root) + cat /proc/self/uid_map 0 200000 65536 + mount + grep...

I also seem to be able to get to exactly this state without the `/sbin/init` logic: ``` apiVersion: v1 kind: Pod metadata: name: test-podman annotations: io.openshift.builder: "true" io.kubernetes.cri-o.userns-mode: auto spec:...

For the record / note to myself: I was able to observe the `/sbin/init` / non-`/sbin/init` difference only in unprivileged containers. Out of box, no matter what entrypoint, I see...

Are you sure using `:rw` doesn't give the container more permissions than you want and than is secure, on cgroup v1 systems?