ping @crosbymichael

@dineshs-altiscale Can you explain why we need to change the permissions for this to work?

Several steps along the way before execve assume root. But once the UID mappings are enforced somewhere midway in the driver, it's suddenly not true anymore. For example, sysinit running as docker-root needs to be able to read .dockerenv which is owned by host root.

This is about the minimal change required to get through the initialization phase without stumbling on missing permission. I arrived here after several iterations -- first 0755 for container.root, then to 0711 and then to 0710.

@crosbymichael do we still need this? If we do this needs a serious rebase.

Thanks for these PRs. We finally have the Go PRs merged to add support into libcontainer and will be working on user namespaces soon after the Go 1.4 release is out.

We will review the filesystem operations after the execution aspect is complete.