I once asked how Linux namespaces could be disabled without recompiling. One of the comments asked if I meant without building with CONFIG_USER_NS=n and the answer my question received said to set to user.max_*_namespaces to 0. I have recently discovered that there is also a CONFIG_NAMESPACES build parameter. Does this mean namespaces are still usable even if user.max_*_namespaces are all 0?
-
Why would you want to do that? Lots of stuff will break without namespaces, and the system probably wouldn't even boot if it uses systemd rather than sysvinit or whatever (and even with sysv, most desktop environments would break without namespaces, as would many apps). You'd probably have to use a distro from 10-15 years ago. or freebsd.cas– cas2025-10-02 02:13:51 +00:00Commented Oct 2 at 2:13
Add a comment
|
1 Answer
If a kernel is built with CONFIG_NAMESPACES disabled, then no namespace support is available with that kernel, at all. That can’t then be changed at runtime. The same applies to CONFIG_USER_NS: if a kernel is built with that disabled, then no user namespace support is available with that kernel, and that can’t be changed at run time.
A kernel with namespace support provides user.max_*_namespaces controls to limit namespace support at runtime. This doesn’t imply that namespaces are still usable if these controls are set to 0; if they are set to 0, then no one can create namespaces, which effectively means namespaces are not usable.
answered Oct 2 at 6:26
