Re: [libvirt-users] [libvirt] LXC, user namespaces and systemd
On 26.02.2014 17:59, Stephan Sachse wrote:
> # chown -R foo:foo /var/lib/libvirt/filesystems/mycontainer
you must "shift" the uids for the container 0 -> 666, 1 -> 667, 2 ->
668. there is a tool for this: uidmapshift
I prepared two containers, the first I used chown, in the second
uidmapshift, here is the results.
./uidmapshift -r /var/lib/libvirt/filesystems/mycontainer
UIDs 666 - 666
GIDs 1001 - 2000
foo 28919 28917 0 14:42 ? 00:00:00 /sbin/init
747 28950 28919 0 14:42 ? 00:00:00 /bin/dbus-daemon
./uidmapshift -r /var/lib/libvirt/filesystems/test
UIDs 888 - 1776
GIDs 1002 - 2001
foo1 29298 29296 0 14:45 ? 00:00:00 /sbin/init
969 29329 29298 0 14:45 ? 00:00:00 /bin/dbus-daemon
As you can see root is mapped to foo or foo1 user and dbus user is
mapped to 747 (uid=81(dbus) + uid=666(foo)) or 969 (uid=81(dbus) +
uid=888(foo1)). Mapping looks properly. Why use uidmapshift ?, it still
performs chown. Could you explain more?
some tools may not work, because of the missing file capabilities.
chown removes all file capabilities! try ping as user inside the
container. (missing file cap cap_net_admin,cap_net_raw)
# getcap /usr/bin/ping
# ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.077 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.066 ms
^C
--- localhost ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.066/0.071/0.077/0.010 ms
Yes you are right, chown removed capabilities, but ping still works
properly.
--
Dariusz Michaluk
Samsung R&D Institute Poland
Samsung Electronics
d.michaluk(a)samsung.com