Hi,

Currently the existing implementation of user namespaces works as all-or-nothing feature.
That is, once user namespaces are set in the global daemon level, there is no way to use any of the advance container privileged operations (e.g., pid=host, net==host or --privileged or mounting host folder w/o changing permissions).

There are several scenarios where customers would like use user namespaces in the global level but still allow running a subset of privileged containers for various administrative purposes (e.g., maintenance or security).

We purpose to extend the existing user namespace mechanism by adding a skip flag when creating or attaching to existing containers.
Specifically:

$ docker run --skip-userns ...
$ docker exec --skip-userns ...

Technically, when --skip-userns option is used, the Docker daemon will ignore converting the user id and will respect the actual --user parameter (or root if no user is specified).
Also, when the --skip-userns option is specified, the existing hard-coded daemon limitation (privileged and host/pid namespace) will be removed.

I would be happy to own the design and implementation once we agree on the approach.