Suggestion: breakdown of each incremental feature that apptainer can use #69
Description
This relates mostly to the "User Namespaces and Fakeroot" page. I found it fairly confusing because apptainer has so many modular features, each of which requires different levels of permissions and dependent software, that in turn enable different capabilities in apptainer. In theory this could be expanded to talk about FUSE filesystems etc as well.
The motivation for this is helping sysadmins determine which features they can enable "for free" (ie without security risks) e.g. fakeroot, and which ones can be skipped. e.g. the setuid flag is possibly not needed on newer Linux kernels.
I think it might be helpful to present this information as a collection of paragraphs, one for each capability, that describe this information in a structure way. Now I don't actually have all the info to write this because I still don't fully understand everything, but here's an example:
Name: Fakeroot binary
How to Enable Install fakeroot command (can be compiled from scratch or installed as a package)
Required Privileges: None (any user can compile fakeroot)
Security risks: None
Enables: The use of sudo inside apptainer, for example sudo apt install or sudo make install. This allows the use of many standard installation mechanisms, which can make building containers much easier
Name: Setuid Flag
How to Enable Install apptainer-suid package instead of apptainer
Required Privileges: Root
Security risks: Potentially
Enables: Allows apptainer to run on old Linux kernels that don't support user namespaces
Name: subuid Mappings
How to Enable: The root user can customize /etc/subuid and /etc/subgid
Required Privileges: Root
Security risks: No (?)
Enables: Allows apptainer to map multiple users inside the container to multiple users outside the container. This extends the default behaviour whereby the running user outside the container is mapped to root inside the container.