Here is an old, but very good RHEL blog post that explains user namespaces.
A somewhat oversimplified definition is that a user namespace amounts to a mapping of a user id within a container to another user id outside the container. RSPM git builders utilize user namespaces, along with other container technologies, to isolate the R process that builds the R package. This provides better security, especially if the R package includes pre- or post-build scripts.
Calculating User Namespace Requirements
While building an R package, RSPM uses two user namespaces. The Git.BuildConcurrency setting controls the number of concurrent Git builds in RSPM per git builder. To determine the number of user namespaces you will potentially need, you can perform a calculation like this:
- Number of git builders using tag polling = tagBuilders
- Git.BuildConcurrency setting (defaults to 25) = buildConcurrency
- Number of git builders using commit polling = commitBuilders
User Namespaces Required = ((tagBuilders * buildConcurrency) + commitBuilders) * 2
- Four git builders are configured to build R packages based on tags (tagBuilders = 4)
- Git.BuildConcurrency setting is at the default of 25 (buildConcurrency = 25)
- Five git builders are configured to build R packages upon new commits (commitBuilders=5)
User Namespaces Required = ((4 * 25) + 5) * 2 = 210 namespaces
A general statement would be the minimum value should be at least 100, though there is no harm in enabling a larger number of user namespaces. This is why our Admin Guide examples include large values like 15,000.
RHEL has been slow to enable user namespaces in order to give the technology more time to incubate before enabling it by default. If you are concerned about any security issues involving user namespaces, we recommend running RSPM on a server or VM that is dedicated to RSPM so that no other users, applications, or services can take advantage of the user namespace support.
Although user namespaces are preferred, RSPM provides two alternatives. See the Admin Guide section on Process Management.