[libvirt] LXC: user namespaces
Hi! We'd like to use libvirt for managing our lxc machines. Currently libvirt lacks of user namespace support. Is anyone working on that? Otherwise David and I will implement it and send patches very soon. Thanks, //richard
On Mon, Apr 29, 2013 at 11:16:12PM +0200, Richard RW. Weinberger wrote:
Hi!
We'd like to use libvirt for managing our lxc machines. Currently libvirt lacks of user namespace support. Is anyone working on that? Otherwise David and I will implement it and send patches very soon.
There were some people at Fujitsu who have done a little work on it. They posted some very basic patches a month or two ago, but not heard more since then, so don't know if any progress has been made by them. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
----- Ursprüngliche Mail -----
We'd like to use libvirt for managing our lxc machines. Currently libvirt lacks of user namespace support. Is anyone working on that? Otherwise David and I will implement it and send patches very soon.
There were some people at Fujitsu who have done a little work on it. They posted some very basic patches a month or two ago, but not heard more since then, so don't know if any progress has been made by them.
Found the patches. :) They do mostly the same what our preliminary userns support does. 1. Add support for uid/gid mappings. 2. Don't mount disallowed files systems in the userns. 3. Create devices nodes outside of the userns. What we still need to consider is how to deal with capability dropping. Daniel, do you have any plans how to support this? Using securebits would be a good idea. See [0] Gao feng, are you still working on the patch set? Let's work together to avoid duplicated work. If you don't have to time to cleanup/rework your patches we'll happily pick them up and base our work on them. Thanks, //richard [0]: https://lkml.org/lkml/2013/4/29/445
On Tue, Apr 30, 2013 at 12:07:33PM +0200, Richard RW. Weinberger wrote:
----- Ursprüngliche Mail -----
We'd like to use libvirt for managing our lxc machines. Currently libvirt lacks of user namespace support. Is anyone working on that? Otherwise David and I will implement it and send patches very soon.
There were some people at Fujitsu who have done a little work on it. They posted some very basic patches a month or two ago, but not heard more since then, so don't know if any progress has been made by them.
Found the patches. :) They do mostly the same what our preliminary userns support does. 1. Add support for uid/gid mappings. 2. Don't mount disallowed files systems in the userns. 3. Create devices nodes outside of the userns.
What we still need to consider is how to deal with capability dropping. Daniel, do you have any plans how to support this? Using securebits would be a good idea.
We already have to deal with that - we allow all capabilties except for CAP_MKNOD, SYS_MODULE, SYS_TIME, AUDIT_CONTROL and MAC_ADMIN currently. If user namespaces are active, we might be able to actually relax that and allow more of them. TBD. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
----- Ursprüngliche Mail -----
On Tue, Apr 30, 2013 at 12:07:33PM +0200, Richard RW. Weinberger wrote:
----- Ursprüngliche Mail -----
We'd like to use libvirt for managing our lxc machines. Currently libvirt lacks of user namespace support. Is anyone working on that? Otherwise David and I will implement it and send patches very soon.
There were some people at Fujitsu who have done a little work on it. They posted some very basic patches a month or two ago, but not heard more since then, so don't know if any progress has been made by them.
Found the patches. :) They do mostly the same what our preliminary userns support does. 1. Add support for uid/gid mappings. 2. Don't mount disallowed files systems in the userns. 3. Create devices nodes outside of the userns.
What we still need to consider is how to deal with capability dropping. Daniel, do you have any plans how to support this? Using securebits would be a good idea.
We already have to deal with that - we allow all capabilities except for CAP_MKNOD, SYS_MODULE, SYS_TIME, AUDIT_CONTROL and MAC_ADMIN currently. If user namespaces are active, we might be able to actually relax that and allow more of them. TBD.
So, you are currently limiting the bounding set? If you just drop capabilties and then execve() something as uid 0, which is the case for user namespaces, it will regain all capabilities. Thanks, //richard
On Tue, Apr 30, 2013 at 12:17:15PM +0200, Richard RW. Weinberger wrote:
----- Ursprüngliche Mail -----
On Tue, Apr 30, 2013 at 12:07:33PM +0200, Richard RW. Weinberger wrote:
----- Ursprüngliche Mail -----
We'd like to use libvirt for managing our lxc machines. Currently libvirt lacks of user namespace support. Is anyone working on that? Otherwise David and I will implement it and send patches very soon.
There were some people at Fujitsu who have done a little work on it. They posted some very basic patches a month or two ago, but not heard more since then, so don't know if any progress has been made by them.
Found the patches. :) They do mostly the same what our preliminary userns support does. 1. Add support for uid/gid mappings. 2. Don't mount disallowed files systems in the userns. 3. Create devices nodes outside of the userns.
What we still need to consider is how to deal with capability dropping. Daniel, do you have any plans how to support this? Using securebits would be a good idea.
We already have to deal with that - we allow all capabilities except for CAP_MKNOD, SYS_MODULE, SYS_TIME, AUDIT_CONTROL and MAC_ADMIN currently. If user namespaces are active, we might be able to actually relax that and allow more of them. TBD.
So, you are currently limiting the bounding set?
Yes, we limit the bounding set (when possible - you can't limit the bounding set as non-root, even if you only want to discard bits, which rather sucks). Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 04/30/2013 06:07 PM, Richard RW. Weinberger wrote:
----- Ursprüngliche Mail -----
We'd like to use libvirt for managing our lxc machines. Currently libvirt lacks of user namespace support. Is anyone working on that? Otherwise David and I will implement it and send patches very soon.
There were some people at Fujitsu who have done a little work on it. They posted some very basic patches a month or two ago, but not heard more since then, so don't know if any progress has been made by them.
Found the patches. :) They do mostly the same what our preliminary userns support does. 1. Add support for uid/gid mappings. 2. Don't mount disallowed files systems in the userns. 3. Create devices nodes outside of the userns.
What we still need to consider is how to deal with capability dropping. Daniel, do you have any plans how to support this? Using securebits would be a good idea. See [0]
Gao feng, are you still working on the patch set? Let's work together to avoid duplicated work. If you don't have to time to cleanup/rework your patches we'll happily pick them up and base our work on them.
Sorry for the late response. I'm working on this patchset now. and I also consider to add user quota for libvirt lxc. Anyway I will post the version 2 in next week. Thanks, Gao
Thanks, //richard
participants (3)
-
Daniel P. Berrange -
Gao feng -
Richard RW. Weinberger