Re: [libvirt] [RFC PATCH 1/6] LXC: New XML element for user namespace
On Mon, Mar 11, 2013 at 02:26:47PM +0800, Gao feng wrote:
This patch introduces three new elements in <os> for
user namespace. for example
<os>
<userns enabled='yes'/>
<uidmap first='0' low_first='1000' count='10'/>
<gidmap first='0' low_first='1000' count='10'/>
</os>
this new element userns is used for controlling if enable
userns for the domain.
We've previously used the <features> block to control whether
namespaces are enabled. So I'd prefer to see that we use
a '<privuser/>' feature flag for this purpose.
the other two elements uidmap and gidmap are used for
setting proc files /proc/<pid>/{uid_map,gid_map}.
There can be many entries per maps, so we should be grouping
them in some way. I don't think they belong inside <os> since
that is about the guest boot mechanism.
Instead we want something like
<idmap>
<uid start="0" count="100" target="1000"/>
<uid start="65536" count="1" target="1101"/>
<gid start="0" count="100" target="1000"/>
<gid start="65536" count="1" target="1101"/>
</idmap>
If a <idmap> element is present, then we should automatically
set the <privuer/> feature flag during parsing, if not already
set by the user.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|