5:15 p.m.
Hi all,
I'm trying to restrict privileges of root user inside the container. I
searched about it and got to know about "idmap" element in domain XML.
I added "idmap" element in my container's XML file:
<idmap>
<uid start='0' target='1000' count='10'/>
<gid start='0' target='1000' count='10'/>
</idmap>
I restarted the container with updated XML file.
When I execute "id" command to know if root user inside the container has
been mapped with an user from host, i still get output uid as 0
# id -u root
0
Am I doing the steps right to check the user namespacing? Please help me
out with this.
Thanks in advance,
Saurabh Deochake.
NTT DATA OSS Center, Pune, India
5:30 p.m.
On 11/11/2013 05:15 PM, Saurabh Deochake wrote:
Hi all,
I'm trying to restrict privileges of root user inside the container. I searched about
it and got to know about "idmap" element in domain XML.
I added "idmap" element in my container's XML file:
<idmap>
<uid start='0' target='1000' count='10'/>
<gid start='0' target='1000' count='10'/>
</idmap>
I restarted the container with updated XML file.
When I execute "id" command to know if root user inside the container has been
mapped with an user from host, i still get output uid as 0
# id -u root
0
Yes, this user are the root user in this container, but actually he is mapped to a normal
user(uid 1000) on host.
this user still has no right to access the files of host's root user or insmod....
you can try create a file in container, and on host, the owner of this file is uid=1000.
and on the other side, if a file's owner is uid 1000 on host. in this container, you
will
see the owner of this file is uid 0.
Am I doing the steps right to check the user namespacing? Please help
me out with this.
Thanks in advance,
Saurabh Deochake.
NTT DATA OSS Center, Pune, India
_______________________________________________
libvirt-users mailing list
libvirt-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvirt-users
5:52 p.m.
Hi Gao,
I appreciate your quick reply.
you can try create a file in container, and on host, the owner of this
file is uid=1000.
and on the other side, if a file's owner is uid 1000 on host. in
this
container, you will
see the owner of this file is uid 0.
I tried creating a file inside the container with root user. When I checked
uid of the file on the host,
it still gives me uid as 0.
What can be wrong?
Thanks and Regards,
Saurabh Deochake.
1:34 p.m.
On 11/11/2013 05:52 PM, Saurabh Deochake wrote:
Hi Gao,
I appreciate your quick reply.
>you can try create a file in container, and on host, the owner of this file is
uid=1000.
>and on the other side, if a file's owner is uid 1000 on host. in this container,
you will
>see the owner of this file is uid 0.
I tried creating a file inside the container with root user. When I checked uid of the
file on the host,
it still gives me uid as 0.
What can be wrong?
In this situation, it must be a bug. but in my environment, everything works ok.
chould you show me the result of stat this new file inside container and on the host?
1:24 p.m.
Hi Gao,
I checked the output of "lxc-checkconfig" command and it showed
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
*User namespace: missing*
Network namespace: enabled
Multiple /dev/pts instances: enabled
Here it shows that User namespace support is missing. I tried to check for
Namespaces Support in kernel menuconfig. It has support for following
namespaces only:
--- Namespaces support
[*] UTS namespace
[*] IPC namespace
[*] PID Namespaces
[*] Network namespace
There is no User Namespace support. So do I need to patch the kernel for
user namespace support? What should I do in order to get user namespace
working?
Following are my system details:
OS: Fedora 19
Kernel: 3.9.5
Thanks and Regards,
Saurabh Deochake.
1:40 p.m.
Hi Saurabh,
First of all. I think there are something wrong in you container configure file
the <idmap> should under <domain>.
such as
<domain type='lxc'>
<name>xxx</name>
<memory unit='KiB'>102400</memory>
<currentMemory unit='KiB'>102400</currentMemory>
<vcpu placement='static'>1</vcpu>
<resource>
<partition>/machine</partition>
</resource>
<os>
<type arch='x86_64'>exe</type>
<init>/bin/sh</init>
</os>
<idmap>
<uid start='0' target='1000' count='10'/>
<gid start='0' target='1000' count='10'/>
</idmap>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<console type='pty'>
<target type='lxc' port='0'/>
</console>
</devices>
</domain>
If your system doesn't support user namespace and your container has configure file,
then when you start container, this error will be threw out.
error: Failed to start domain xxx
error: internal error: guest failed to start: Kernel doesn't support user namespace:
If your configure file is right and the libvirt_lxc doesn't throw out error message,
it's a bug we should fix.
On 11/13/2013 01:24 PM, Saurabh Deochake wrote:
Hi Gao,
I checked the output of "lxc-checkconfig" command and it showed
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
*User namespace: missing*
Network namespace: enabled
Multiple /dev/pts instances: enabled
Here it shows that User namespace support is missing. I tried to check for Namespaces
Support in kernel menuconfig. It has support for following namespaces only:
--- Namespaces support
[*] UTS namespace
[*] IPC namespace
[*] PID Namespaces
[*] Network namespace
There is no User Namespace support. So do I need to patch the kernel for user namespace
support? What should I do in order to get user namespace working?
Following are my system details:
OS: Fedora 19
Kernel: 3.9.5
Disable the xfs filesystem, and then you will see User namespace under Namespaces
support.
Enjoy it.
Thanks
1:05 p.m.
Hi Gao,
Thanks a lot for your help. I'm currently upgrading my kernel (from 3.9.5
to 3.11.7) and checking if user namespace works or not.
Regards,
Saurabh Deochake,
On Wed, Nov 13, 2013 at 11:10 AM, Gao feng <gaofeng(a)cn.fujitsu.com> wrote:
Hi Saurabh,
First of all. I think there are something wrong in you container configure
file
the <idmap> should under <domain>.
such as
<domain type='lxc'>
<name>xxx</name>
<memory unit='KiB'>102400</memory>
<currentMemory unit='KiB'>102400</currentMemory>
<vcpu placement='static'>1</vcpu>
<resource>
<partition>/machine</partition>
</resource>
<os>
<type arch='x86_64'>exe</type>
<init>/bin/sh</init>
</os>
<idmap>
<uid start='0' target='1000' count='10'/>
<gid start='0' target='1000' count='10'/>
</idmap>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<console type='pty'>
<target type='lxc' port='0'/>
</console>
</devices>
</domain>
If your system doesn't support user namespace and your container has
configure file,
then when you start container, this error will be threw out.
error: Failed to start domain xxx
error: internal error: guest failed to start: Kernel doesn't support user
namespace:
If your configure file is right and the libvirt_lxc doesn't throw out
error message,
it's a bug we should fix.
On 11/13/2013 01:24 PM, Saurabh Deochake wrote:
> Hi Gao,
>
> I checked the output of "lxc-checkconfig" command and it showed
>
> --- Namespaces ---
> Namespaces: enabled
> Utsname namespace: enabled
> Ipc namespace: enabled
> Pid namespace: enabled
> *User namespace: missing*
> Network namespace: enabled
> Multiple /dev/pts instances: enabled
>
> Here it shows that User namespace support is missing. I tried to check
for Namespaces Support in kernel menuconfig. It has support for following
namespaces only:
>
> --- Namespaces support
> [*] UTS namespace
> [*] IPC namespace
> [*] PID Namespaces
> [*] Network namespace
>
> There is no User Namespace support. So do I need to patch the kernel for
user namespace support? What should I do in order to get user namespace
working?
>
> Following are my system details:
> OS: Fedora 19
> Kernel: 3.9.5
>
Disable the xfs filesystem, and then you will see User namespace under
Namespaces support.
Enjoy it.
Thanks
3950
days inactive
3953
days old
6 comments
2 participants
participants (2)
-
Gao feng -
Saurabh Deochake