[systemd-devel] systemd-nspawn create container under unprivileged user

Djalal Harouni tixxdz at opendz.org
Wed Feb 11 08:53:59 PST 2015


On Wed, Feb 11, 2015 at 05:06:56PM +0100, Lennart Poettering wrote:
> On Wed, 11.02.15 13:53, Djalal Harouni (tixxdz at opendz.org) wrote:
> 
> > On Tue, Feb 10, 2015 at 12:52:34PM +0100, Lennart Poettering wrote:
> > > On Thu, 05.02.15 02:03, Vasiliy Tolstov (v.tolstov at selfip.ru) wrote:
> > > 
> > > > Hello!
> > > > Does it possible to create container as regular user? Oh what capabilities
> > > > i need to add to create container not using root?
> > > 
> > > Invoking containers without privileges is not supported by nspawn, and
> > > this is unlikely to change, as I fail to see any strong usecase for
> > > this... 
> > >
> > > If somebody can englighten me about the usecase for allowing
> > > containers to be run by unprivileged users, I'd be willing to change
> > > my mind though...
> > A quick argument against it, IOW just wait and see!
> > 
> > As unprivileged we don't have CAP_SYS_MODULE set, but inside
> > unprivileged containers we are root, and a call to cap_get_flag() on
> > CAP_SYS_MODULE will return CAP_SET! but hey in reality this is not true,
> > we don't have CAP_SYS_MODULE... this will confuse programs running
> > inside containers, we'll have to add more code paths for this special
> > case... and not only CAP_SYS_MODULE, perhaps there are other cases...
> 
> Well, but we could drop CAP_SYS_MODULE both before and after setting
> up the userns, so that the cap is missing fro the PID both inside and
> outside of it...
Indeed, yes but still there are other obscure cases, like CAP_SYS_ADMIN,
even if you have it, you won't be able to mount file systems like btrfs
and others, only a subset of virtual filesystems support unprivileged
user mounting... yeh we could drop it too, and it seems that systemd was
adapted recently to work in this situation, but what about other code ?
or if you want todo some sort of system replication inside container...

I guess we'll endup trying to know if this is the real capability or the
diminished version... or if we are inside a userns...


> Lennart
> 
> -- 
> Lennart Poettering, Red Hat

-- 
Djalal Harouni
http://opendz.org


More information about the systemd-devel mailing list