[libvirt-users] User Namespace in LXC
Hi all, I'm trying to restrict privileges of root user inside the container. I searched about it and got to know about "idmap" element in domain XML. I added "idmap" element in my container's XML file: <idmap> <uid start='0' target='1000' count='10'/> <gid start='0' target='1000' count='10'/> </idmap> I restarted the container with updated XML file. When I execute "id" command to know if root user inside the container has been mapped with an user from host, i still get output uid as 0 # id -u root 0 Am I doing the steps right to check the user namespacing? Please help me out with this. Thanks in advance, Saurabh Deochake. NTT DATA OSS Center, Pune, India
On 11/11/2013 05:15 PM, Saurabh Deochake wrote:
Hi all,
I'm trying to restrict privileges of root user inside the container. I searched about it and got to know about "idmap" element in domain XML.
I added "idmap" element in my container's XML file:
<idmap> <uid start='0' target='1000' count='10'/> <gid start='0' target='1000' count='10'/> </idmap>
I restarted the container with updated XML file.
When I execute "id" command to know if root user inside the container has been mapped with an user from host, i still get output uid as 0
# id -u root 0
Yes, this user are the root user in this container, but actually he is mapped to a normal user(uid 1000) on host. this user still has no right to access the files of host's root user or insmod.... you can try create a file in container, and on host, the owner of this file is uid=1000. and on the other side, if a file's owner is uid 1000 on host. in this container, you will see the owner of this file is uid 0.
Am I doing the steps right to check the user namespacing? Please help me out with this.
Thanks in advance,
Saurabh Deochake. NTT DATA OSS Center, Pune, India
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
Hi Gao, I appreciate your quick reply.
you can try create a file in container, and on host, the owner of this file is uid=1000. and on the other side, if a file's owner is uid 1000 on host. in this container, you will see the owner of this file is uid 0.
I tried creating a file inside the container with root user. When I checked uid of the file on the host, it still gives me uid as 0. What can be wrong? Thanks and Regards, Saurabh Deochake.
On 11/11/2013 05:52 PM, Saurabh Deochake wrote:
Hi Gao,
I appreciate your quick reply.
you can try create a file in container, and on host, the owner of this file is uid=1000. and on the other side, if a file's owner is uid 1000 on host. in this container, you will see the owner of this file is uid 0.
I tried creating a file inside the container with root user. When I checked uid of the file on the host, it still gives me uid as 0. What can be wrong?
In this situation, it must be a bug. but in my environment, everything works ok. chould you show me the result of stat this new file inside container and on the host?
Hi Gao, I checked the output of "lxc-checkconfig" command and it showed --- Namespaces --- Namespaces: enabled Utsname namespace: enabled Ipc namespace: enabled Pid namespace: enabled *User namespace: missing* Network namespace: enabled Multiple /dev/pts instances: enabled Here it shows that User namespace support is missing. I tried to check for Namespaces Support in kernel menuconfig. It has support for following namespaces only: --- Namespaces support [*] UTS namespace [*] IPC namespace [*] PID Namespaces [*] Network namespace There is no User Namespace support. So do I need to patch the kernel for user namespace support? What should I do in order to get user namespace working? Following are my system details: OS: Fedora 19 Kernel: 3.9.5 Thanks and Regards, Saurabh Deochake.
Hi Saurabh, First of all. I think there are something wrong in you container configure file the <idmap> should under <domain>. such as <domain type='lxc'> <name>xxx</name> <memory unit='KiB'>102400</memory> <currentMemory unit='KiB'>102400</currentMemory> <vcpu placement='static'>1</vcpu> <resource> <partition>/machine</partition> </resource> <os> <type arch='x86_64'>exe</type> <init>/bin/sh</init> </os> <idmap> <uid start='0' target='1000' count='10'/> <gid start='0' target='1000' count='10'/> </idmap> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>destroy</on_crash> <devices> <console type='pty'> <target type='lxc' port='0'/> </console> </devices> </domain> If your system doesn't support user namespace and your container has configure file, then when you start container, this error will be threw out. error: Failed to start domain xxx error: internal error: guest failed to start: Kernel doesn't support user namespace: If your configure file is right and the libvirt_lxc doesn't throw out error message, it's a bug we should fix. On 11/13/2013 01:24 PM, Saurabh Deochake wrote:
Hi Gao,
I checked the output of "lxc-checkconfig" command and it showed
--- Namespaces --- Namespaces: enabled Utsname namespace: enabled Ipc namespace: enabled Pid namespace: enabled *User namespace: missing* Network namespace: enabled Multiple /dev/pts instances: enabled
Here it shows that User namespace support is missing. I tried to check for Namespaces Support in kernel menuconfig. It has support for following namespaces only:
--- Namespaces support [*] UTS namespace [*] IPC namespace [*] PID Namespaces [*] Network namespace
There is no User Namespace support. So do I need to patch the kernel for user namespace support? What should I do in order to get user namespace working?
Following are my system details: OS: Fedora 19 Kernel: 3.9.5
Disable the xfs filesystem, and then you will see User namespace under Namespaces support. Enjoy it. Thanks
Hi Gao, Thanks a lot for your help. I'm currently upgrading my kernel (from 3.9.5 to 3.11.7) and checking if user namespace works or not. Regards, Saurabh Deochake, On Wed, Nov 13, 2013 at 11:10 AM, Gao feng <gaofeng@cn.fujitsu.com> wrote:
Hi Saurabh,
First of all. I think there are something wrong in you container configure file the <idmap> should under <domain>.
such as
<domain type='lxc'> <name>xxx</name> <memory unit='KiB'>102400</memory> <currentMemory unit='KiB'>102400</currentMemory> <vcpu placement='static'>1</vcpu> <resource> <partition>/machine</partition> </resource> <os> <type arch='x86_64'>exe</type> <init>/bin/sh</init> </os> <idmap> <uid start='0' target='1000' count='10'/> <gid start='0' target='1000' count='10'/> </idmap> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>destroy</on_crash> <devices> <console type='pty'> <target type='lxc' port='0'/> </console> </devices> </domain>
If your system doesn't support user namespace and your container has configure file, then when you start container, this error will be threw out. error: Failed to start domain xxx error: internal error: guest failed to start: Kernel doesn't support user namespace:
If your configure file is right and the libvirt_lxc doesn't throw out error message, it's a bug we should fix.
On 11/13/2013 01:24 PM, Saurabh Deochake wrote:
Hi Gao,
I checked the output of "lxc-checkconfig" command and it showed
--- Namespaces --- Namespaces: enabled Utsname namespace: enabled Ipc namespace: enabled Pid namespace: enabled *User namespace: missing* Network namespace: enabled Multiple /dev/pts instances: enabled
Here it shows that User namespace support is missing. I tried to check for Namespaces Support in kernel menuconfig. It has support for following namespaces only:
--- Namespaces support [*] UTS namespace [*] IPC namespace [*] PID Namespaces [*] Network namespace
There is no User Namespace support. So do I need to patch the kernel for user namespace support? What should I do in order to get user namespace working?
Following are my system details: OS: Fedora 19 Kernel: 3.9.5
Disable the xfs filesystem, and then you will see User namespace under Namespaces support. Enjoy it.
Thanks
participants (2)
-
Gao feng -
Saurabh Deochake