[systemd-devel] [PATCH] loopback setup in unprivileged containers

Tom Gundersen teg at jklm.no
Mon Dec 29 06:14:37 PST 2014


On Mon, Dec 29, 2014 at 2:34 PM, Lennart Poettering
<lennart at poettering.net> wrote:
> On Mon, 29.12.14 09:07, Matthias Urlichs (matthias at urlichs.de) wrote:
>
>> > On Sun, Dec 28, 2014 at 6:18 PM, St├ęphane Graber
>> > <stephane.graber at canonical.com> wrote:
>> > > My host system doesn't have nspawn so I can't easily test it this way,
>> > > but it was my understanding that nspawn didn't support user namespaces
>> > > and uid/gid mappings which is what I'm working with here.
>> >
>> > Indeed, that is not supported by nspawn (which explains why I cannot
>> > reproduce). I was able to reproduce using the userns_child_exec test
>> > program from [0], so I'll take a look.
>> >
>> Hmm. IMHO it would be reasonable to add a mapping option
>> ("--{user,group}map=inside:outside[:length]") to nspawn.
>
> I am open to adding support for this, but I think the allocation of
> the UID ranges should really happen automatically, and not be
> something the admin has to manually assign.
>
> Which means we'd enter dynamic UID allocation terroritory, and that
> opens a huge can of worms...

Would we not also need to support explicit assignment, in case someone
has a preexisting image they want to match in a specific way? In that
case we could start off without the dynamic allocation and add that
later. It certainly would make testing a lot simpler if we had userns
support sooner rather than later (at least in the case of netlink it
appears to be quite a mess).

Cheers,

Tom


More information about the systemd-devel mailing list