Ludovic Courtès schreef op vr 01-04-2022 om 10:12 [+0200]:
> Or we could unconditionally add 65536 subuids for each non-system user
> account; that’s what other distros seem to be doing.
> 
> I think we could take advantage of it for ‘guix system container’: it
> could run in an unprivileged user namespace and map several UIDs in that
> namespace, such that it doesn’t need to run as root anymore.

I think it will need to be conditional, because the container only has
access to 65536 uids.  So if the container contains at least one non-
system user, then all available uids are occupied so there is no room
anymore for 'root' or per-service users ...

Greetings,
Maxime.