On 12/11/25 11:21, Alyssa Ross wrote:
> The document portal has to be root to mount its fuse filesystem.  This
> needs to be a shared namespace because virtiofsd needs to be in the
> same mount namespace as the document portal so that it sees the fuse
> filesystem, so we create a per-VM persistent user namespace.
> 
> Signed-off-by: Alyssa Ross <hi@alyssa.is>

I think it would be cleanest to have a per-VM supervisor process that
spawns each process in the correct namespace.  This avoids having
to manually unmount anything.  This is definitely out of scope for
now, though.  Since a per-VM supervisor is needed for cgroup support,
I think this should wait until cgroup support is done.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)