Cesar Talledo

> Now, the issue that you are reporting doesn't seem trivial to me since we are getting an EPERM from the kernel while trying to execute that IOCTL that we...

> It seems the kernel is only allowing this from within the init user-namespace, which does not appear to be conceptually correct. This kernel behavior may be on purpose though:...

Hi @MaxistheSpy, No sorry, not at this time. But what is the use case you have in mind? Thanks!

I see, thanks. Just FYI, Docker Desktop (enterprise subscription only) carries Sysbox in it, and uses it when a feature called [Enhanced Container Isolation](https://docs.docker.com/security/for-admins/hardened-desktop/enhanced-container-isolation/). I mention it just in case...

> This seems more like a docker UX problem and not an issue with the core containerd functionality? I first tried solving it at the Docker/Moby layer, but then realized...

Hi @cpuguy83, @dmcgowan, would you mind taking a look (or second look for @cpuguy83) at this PR and see if it makes sense please. Thanks!

Hi @thaJeztah, > Looks like the description and title may not match; it's probably either export and import or save and load 😅 ? From a Docker CLI perspective, I...

> Did a quick rebase and vendor Thanks @thaJeztah!

CI looks good, the one integration test failure is spurious and unrelated to this PR.

I investigated a bit and I can see that the cause of the problem is the Docker daemon trying to write a docker-store compatible manifest (`manifest.json`), and this is in...