[lxc-devel] Howto user namespaces?

Dwight Engen dwight.engen at oracle.com
Tue Apr 9 13:47:12 UTC 2013 

On Tue, 9 Apr 2013 08:15:59 -0500
Serge Hallyn <serge.hallyn at ubuntu.com> wrote:

> Quoting richard -rw- weinberger (richard.weinberger at gmail.com):
> > On Tue, Apr 9, 2013 at 5:28 AM, Serge Hallyn
> > <serge.hallyn at ubuntu.com> wrote:
> > > Quoting richard -rw- weinberger (richard.weinberger at gmail.com):
> > >> Am I missing something obvious?
> > >
> > > lxc-create does not yet convert the rootfs to the mapped uids, so
> > > you need to do that manually using uidmapshift.  Check the
> > > container-userns-convert script at
> > > https://code.launchpad.net/~serge-hallyn/+junk/nsexec or in the
> > > nsexec package at ppa:serge-hallyn/userns-natty.
> > 
> > Hmm, I've fixed the uids already by hand.
> > Today I've created a new container and used container-userns-convert
> > but with the same results.
> > 
> > What I find very strange is that your script does:
> > lxc.id_map = U ${uid} 0 $range
> > lxc.id_map = G ${uid} 0 $range
> > uid is 100000, range is 10000.
> > 
> > But the lxc docs say:
> >               Four values must be provided.  First a character,
> > either 'u', or 'g', to specify whether user or group ids are
> >               being mapped.  Next is the first userid as seen in the
> >               user namespace of the container.  Next is the userid
> > as seen on the host.  Finally, a range indicating the number
> >               of consecutive ids to map.
> > 
> > So, this would make more sense: lxc.id_map = u 0 100000 10000
> 
> Dwight recently made some changes to the lxc support.  I may not have
> switched my scripts yet.

Yes, we made the ordering of the numbers and the case of the letters
consistent across lxc config, uidmapshift, and the /proc entries. The
script looks to be from before the change.

> > Anyways, mount of tmpfs fails with ENOPERM, is there any debugging
> > mechanism to find out why it is failing?
> 
> Yeah, get your kernel source and check to see in mm/shmem.c whether
> tmpfs's fs_flags is given FS_USERNS_MOUNT
> 
> > According to strace some bind mounts before the tmpfs work
> > perfectly fine.
> > 
> > --
> > Thanks,
> > //richard
> 
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for
> building apps and a phenomenal toolset for data science. Developers
> can use our toolset for easy data analysis & visualization. Get a
> free account! http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel

More information about the lxc-devel mailing list