Re: [libvirt] LXC: user namespaces

----- Ursprüngliche Mail ----- > On Tue, Apr 30, 2013 at 12:07:33PM +0200, Richard RW. Weinberger > wrote: > > ----- Ursprüngliche Mail ----- > > > > We'd like to use libvirt for managing our lxc machines. > > > > Currently libvirt lacks of user namespace support. > > > > Is anyone working on that? Otherwise David and I will implement > > > > it > > > > and send patches very soon. > > > > > > There were some people at Fujitsu who have done a little work on > > > it. > > > They posted some very basic patches a month or two ago, but not > > > heard > > > more since then, so don't know if any progress has been made by > > > them. > > > > Found the patches. :) > > They do mostly the same what our preliminary userns support does. > > 1. Add support for uid/gid mappings. > > 2. Don't mount disallowed files systems in the userns. > > 3. Create devices nodes outside of the userns. > > > > What we still need to consider is how to deal with capability > > dropping. > > Daniel, do you have any plans how to support this? > > Using securebits would be a good idea. > > We already have to deal with that - we allow all capabilities > except for CAP_MKNOD, SYS_MODULE, SYS_TIME, AUDIT_CONTROL > and MAC_ADMIN currently. If user namespaces are active, we > might be able to actually relax that and allow more of them. > TBD. So, you are currently limiting the bounding set?