[systemd-devel] [PATCH] loopback setup in unprivileged containers

Lennart Poettering lennart at poettering.net
Tue Feb 3 04:56:21 PST 2015 

On Mon, 29.12.14 15:14, Tom Gundersen (teg at jklm.no) wrote:

> On Mon, Dec 29, 2014 at 2:34 PM, Lennart Poettering
> <lennart at poettering.net> wrote:
> > On Mon, 29.12.14 09:07, Matthias Urlichs (matthias at urlichs.de) wrote:
> >
> >> > On Sun, Dec 28, 2014 at 6:18 PM, Stéphane Graber
> >> > <stephane.graber at canonical.com> wrote:
> >> > > My host system doesn't have nspawn so I can't easily test it this way,
> >> > > but it was my understanding that nspawn didn't support user namespaces
> >> > > and uid/gid mappings which is what I'm working with here.
> >> >
> >> > Indeed, that is not supported by nspawn (which explains why I cannot
> >> > reproduce). I was able to reproduce using the userns_child_exec test
> >> > program from [0], so I'll take a look.
> >> >
> >> Hmm. IMHO it would be reasonable to add a mapping option
> >> ("--{user,group}map=inside:outside[:length]") to nspawn.
> >
> > I am open to adding support for this, but I think the allocation of
> > the UID ranges should really happen automatically, and not be
> > something the admin has to manually assign.
> >
> > Which means we'd enter dynamic UID allocation terroritory, and that
> > opens a huge can of worms...
> 
> Would we not also need to support explicit assignment, in case someone
> has a preexisting image they want to match in a specific way? In that
> case we could start off without the dynamic allocation and add that
> later. It certainly would make testing a lot simpler if we had userns
> support sooner rather than later (at least in the case of netlink it
> appears to be quite a mess).

Yeah, I think we could add --uids= or so, which either takes a single
UID (which would use 65536 UIDs from that point), a UID range, or the
word "auto". In that case we'd determine the start UID value from the
container's root directory owner. 

I think in the long run useful user namespacing support would only be
supported if the kernel would get a way how to bind mount a directory
tree with an UID shift. This could either be part of bind mounts, or
part of overlayfs or whatever else, but only with that in place
automatic userns would be fun, because it would not require patching
all uid/gids of all files in a container tree anymore...

Lennart

-- 
Lennart Poettering, Red Hat

More information about the systemd-devel mailing list