[systemd-devel] [PATCH] loopback setup in unprivileged containers

Lennart Poettering lennart at poettering.net
Mon Dec 29 05:34:05 PST 2014


On Mon, 29.12.14 09:07, Matthias Urlichs (matthias at urlichs.de) wrote:

> > On Sun, Dec 28, 2014 at 6:18 PM, St├ęphane Graber
> > <stephane.graber at canonical.com> wrote:
> > > My host system doesn't have nspawn so I can't easily test it this way,
> > > but it was my understanding that nspawn didn't support user namespaces
> > > and uid/gid mappings which is what I'm working with here.
> > 
> > Indeed, that is not supported by nspawn (which explains why I cannot
> > reproduce). I was able to reproduce using the userns_child_exec test
> > program from [0], so I'll take a look.
> > 
> Hmm. IMHO it would be reasonable to add a mapping option
> ("--{user,group}map=inside:outside[:length]") to nspawn.

I am open to adding support for this, but I think the allocation of
the UID ranges should really happen automatically, and not be
something the admin has to manually assign.

Which means we'd enter dynamic UID allocation terroritory, and that
opens a huge can of worms...

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list