[systemd-devel] nspawn dependencies
Lennart Poettering
lennart at poettering.net
Thu Jun 11 03:08:07 PDT 2015
On Thu, 11.06.15 09:40, Richard Weinberger (richard.weinberger at gmail.com) wrote:
> Hi!
>
> Recent systemd-nspawn seems to support unprivileged containers (user
> namespaces). That's awesome, thank you guys for working on that!
Well, the name "unprivileged containers" usually is used for the
concept where you don't need any privs to start and run a
container. We don't support that, and that's turned off in the kernel
of Fedora at least, for good reasons.
We do support user namespaces now, but we require privs on the host to
set them up. I doubt though that UID namespacing as it is now is
really that useful though: you have to prep your images first, apply a
uid shift to all file ownership and ACLs of your tree, and this needs
to be done manually. This makes it pretty hard to deploy since you
cannot boot unmodified container images this way you download from the
internet. Also, since there is no sane, established scheme for
allocating UID ranges for the containers automatically. So far uid
namespaces hence appear mostly like an useless excercise, far from
being deployable in real life hence.
> Maybe you can help me so sort this out, can I run any systemd enabled
> distribution
> using the most current systemd-nspawn?
> Say, my host is FC22 using systemd-nspawn from git, can it spawn an
> openSUSE 13.2 container which has only systemd v210?
>
> Or has the systemd version on the container side to match the systemd
> version on the host side?
It generally does not have to match. We try to maintain compatibility
there (though we make no guarantees -- the stuff is too new). That
said, newer systemd versions work much better in nspawn than older
ones, and v210 is pretty old already.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list