mirror of
https://git.proxmox.com/git/mirror_lxc
synced 2025-05-31 08:40:14 +00:00
f6d3e3e470
The 3.8 kernel now supporst uid mappings, so I believe it's appropriate to proceed with this patchset. The container config supports new entries of the form: lxc.id_map = U 100000 0 10000 lxc.id_map = G 100000 0 10000 meaning map 'virtual' uids (in the container) 0-10000 to uids 100000-110000 on the host, and same for gids. So long as there are mappings specified in the container config, then CONFIG_NEWUSER will be used when the container is cloned. This means that container setup is no longer done with root privilege on the host, only root privilege in the container. Therefore cgroup setup is moved from the init task to the monitor task. To use this patchset, you currently need to either use the raring kernel at ppa:serge-hallyn/usern-natty, or build your own kernel from either git://kernel.ubuntu.com/serge/quantal-userns.git. (Alternatively you can use Eric's tree at the latest userns-always-map-* branch at git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git but you will likely want to at least enable tmpfs mounts in user namespaces) You also need to chown the files in the container rootfs into the mapped range. There is a utility at https://code.launchpad.net/~serge-hallyn/+junk/nsexec to do this. uidmapshift does the chowning, while the container-userns-convert script nicely wraps that program. So I simply sudo lxc-create -t ubuntu -n r1 sudo container-userns-convert r1 200000 will create a container which is shifted so uid 0 in the container is uid 200000 on the host. TODO: when doing setuid(0), need to only do that if 0 is one of the ids we map to. Similarly, when dropping capabilities, need to only not do that if 0 is one of the ids we map to. However, the question of what to do for 'weird' containers in private user namespaces is one I'm punting for later. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com> |
||
|---|---|---|
| .. | ||
| examples | ||
| legacy | ||
| rootfs | ||
| common_options.sgml.in | ||
| FAQ.txt | ||
| lxc-attach.sgml.in | ||
| lxc-cgroup.sgml.in | ||
| lxc-checkpoint.sgml.in | ||
| lxc-console.sgml.in | ||
| lxc-create.sgml.in | ||
| lxc-destroy.sgml.in | ||
| lxc-execute.sgml.in | ||
| lxc-freeze.sgml.in | ||
| lxc-kill.sgml.in | ||
| lxc-ls.sgml.in | ||
| lxc-monitor.sgml.in | ||
| lxc-ps.sgml.in | ||
| lxc-restart.sgml.in | ||
| lxc-shutdown.sgml.in | ||
| lxc-start.sgml.in | ||
| lxc-stop.sgml.in | ||
| lxc-unfreeze.sgml.in | ||
| lxc-wait.sgml.in | ||
| lxc.conf | ||
| lxc.conf.sgml.in | ||
| lxc.sgml.in | ||
| Makefile.am | ||
| see_also.sgml.in | ||