Re: [libvirt] LXC: user namespaces
On Tue, Apr 30, 2013 at 12:07:33PM +0200, Richard RW. Weinberger wrote:
----- Ursprüngliche Mail -----
> > We'd like to use libvirt for managing our lxc machines.
> > Currently libvirt lacks of user namespace support.
> > Is anyone working on that? Otherwise David and I will implement it
> > and send patches very soon.
>
> There were some people at Fujitsu who have done a little work on it.
> They posted some very basic patches a month or two ago, but not heard
> more since then, so don't know if any progress has been made by them.
Found the patches. :)
They do mostly the same what our preliminary userns support does.
1. Add support for uid/gid mappings.
2. Don't mount disallowed files systems in the userns.
3. Create devices nodes outside of the userns.
What we still need to consider is how to deal with capability dropping.
Daniel, do you have any plans how to support this?
Using securebits would be a good idea.
We already have to deal with that - we allow all capabilties
except for CAP_MKNOD, SYS_MODULE, SYS_TIME, AUDIT_CONTROL
and MAC_ADMIN currently. If user namespaces are active, we
might be able to actually relax that and allow more of them.
TBD.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|