3:15 a.m.
Hi all,
I'm trying to restrict privileges of root user inside the container. I
searched about it and got to know about "idmap" element in domain XML.
I added "idmap" element in my container's XML file:
<idmap>
<uid start='0' target='1000' count='10'/>
<gid start='0' target='1000' count='10'/>
</idmap>
I restarted the container with updated XML file.
When I execute "id" command to know if root user inside the container has
been mapped with an user from host, i still get output uid as 0
# id -u root
0
Am I doing the steps right to check the user namespacing? Please help me
out with this.
Thanks in advance,
Saurabh Deochake.
NTT DATA OSS Center, Pune, India
3:30 a.m.
On 11/11/2013 05:15 PM, Saurabh Deochake wrote:
Yes, this user are the root user in this container, but actually he is mapped to a normal
user(uid 1000) on host.
this user still has no right to access the files of host's root user or insmod....
you can try create a file in container, and on host, the owner of this file is uid=1000.
and on the other side, if a file's owner is uid 1000 on host. in this container, you
will
see the owner of this file is uid 0.
3:52 a.m.
Hi Gao,
I appreciate your quick reply.
you can try create a file in container, and on host, the owner of this
file is uid=1000.
and on the other side, if a file's owner is uid 1000 on host. in
this
container, you will
see the owner of this file is uid 0.
I tried creating a file inside the container with root user. When I checked
uid of the file on the host,
it still gives me uid as 0.
What can be wrong?
Thanks and Regards,
Saurabh Deochake.
11:24 p.m.
Hi Gao,
I checked the output of "lxc-checkconfig" command and it showed
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
*User namespace: missing*
Network namespace: enabled
Multiple /dev/pts instances: enabled
Here it shows that User namespace support is missing. I tried to check for
Namespaces Support in kernel menuconfig. It has support for following
namespaces only:
--- Namespaces support
[*] UTS namespace
[*] IPC namespace
[*] PID Namespaces
[*] Network namespace
There is no User Namespace support. So do I need to patch the kernel for
user namespace support? What should I do in order to get user namespace
working?
Following are my system details:
OS: Fedora 19
Kernel: 3.9.5
Thanks and Regards,
Saurabh Deochake.
11:40 p.m.
Hi Saurabh,
First of all. I think there are something wrong in you container configure file
the <idmap> should under <domain>.
such as
<domain type='lxc'>
<name>xxx</name>
<memory unit='KiB'>102400</memory>
<currentMemory unit='KiB'>102400</currentMemory>
<vcpu placement='static'>1</vcpu>
<resource>
<partition>/machine</partition>
</resource>
<os>
<type arch='x86_64'>exe</type>
<init>/bin/sh</init>
</os>
<idmap>
<uid start='0' target='1000' count='10'/>
<gid start='0' target='1000' count='10'/>
</idmap>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<console type='pty'>
<target type='lxc' port='0'/>
</console>
</devices>
</domain>
If your system doesn't support user namespace and your container has configure file,
then when you start container, this error will be threw out.
error: Failed to start domain xxx
error: internal error: guest failed to start: Kernel doesn't support user namespace:
If your configure file is right and the libvirt_lxc doesn't throw out error message,
it's a bug we should fix.
On 11/13/2013 01:24 PM, Saurabh Deochake wrote:
Disable the xfs filesystem, and then you will see User namespace under Namespaces
support.
Enjoy it.
Thanks
4160
days inactive
4163
days old
6 comments
2 participants
participants (2)
-
Gao feng -
Saurabh Deochake