Open
Description
What is the problem you're trying to solve
We currently depend on the nsenter binary.
Although working, this is problematic for a couple of reasons:
- different distro (busybox) may have different syntax
- different versions may or may not support different flags
- nsenter is a bit of a blackbox, and it is not trivial to figure out what happens when you pass
-wvs.-Wfor example
Linking ticket #3385 for example.
Describe the solution you'd like
An alternative solution would be to reexec instead, possibly leveraging docker reexec package.
This is certainly a somewhat complex endeavor, and definitely impactful from a security standpoint. It has to be done right.
Additional context
No response