[systemd-devel] systemd-nspawn create container under unprivileged user
Alban Crequy
alban.crequy at gmail.com
Thu Feb 5 01:44:05 PST 2015
[reposting - sorry I forgot to Cc the mailing list]
On 4 February 2015 at 23:03, Vasiliy Tolstov <v.tolstov at selfip.ru> wrote:
> Hello!
> Does it possible to create container as regular user? Oh what capabilities i
> need to add to create container not using root?
Hello,
Manual page namespaces(7):
Creation of new namespaces using clone(2) and unshare(2) in most cases
requires the CAP_SYS_ADMIN capability. User namespaces are the
exception: since Linux 3.8, no privilege is required to create a user
namespace.
systemd-nspawn uses: src/nspawn/nspawn.c:
pid = raw_clone(SIGCHLD|CLONE_NEWNS|
(arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)|
(arg_private_network ? CLONE_NEWNET : 0), NULL);
So you need to have CAP_SYS_ADMIN to use systemd-nspawn.
If you want to try user namespaces, it is something that is still
moving... Manual page user_namespaces(7):
Starting in Linux 3.8, unprivileged processes can create
user namespaces, and mount, PID, IPC, network, and UTS
namespaces can be created with just the CAP_SYS_ADMIN
capability in the caller's user namespace.
But it is not true in most Linux distributions as they disable
unprivileged user namespaces and require CAP_SYS_ADMIN anyway. See for
example:
http://anonscm.debian.org/viewvc/kernel/dists/trunk/linux/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch?revision=20773&view=markup
and: echo 1 > /proc/sys/kernel/unprivileged_userns_clone
Additionally, the program userns_child_exec.c included in manual page
namespaces(7) does not work as is yet because since the changes
introduced by CVE-2014-8989, it needs to adjust /proc/pid/setgroups.
See:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=66d2f338ee4c449396b6f99f5e75cd18eb6df272
Cheers,
Alban
More information about the systemd-devel
mailing list