[lxc-devel] conceptual questions about user namespaces

Guido Jäkel G.Jaekel at DNB.DE
Fri Apr 12 06:30:04 UTC 2013 

First i want to to say that i didn't test this feature by myself up to now. But from reading the list, i have questions.

For me, the main usecases of the user namespace feature seems to be:

a) to "shift" the containers root user - a security driven term ("jailbreaking")
b) to "shift" the containers "other users" - a privacy driven term ("data separation")

with my bad English, i have no better words for this. The first one might be advisable for many scenarios; the second one is a good instrument if a set of containers is offered as a service to independent subadministrators.


>From my understanding, from the kernel's point of view -- with is also the hosts point of view -- the user namespace feature is a uid/gid translation for an assigned process (and it's children). With a appropriate rule, particularly the container tasksets user 0/0 will act "in reality" as the user n/m. Or maybe it even better to imagine, that the taskset will be flamed to see n/m as 0/0.

Now, what i want to ask:

* The container may be have access to shared/outerwold resources. What happes with by-rule unmapped uid/gids? *Are* they passed unmapped, what one may call "transparent"? Or are they mapped to "nobody"? 

* What will happen in the usecase "real device reach though" and similar, e.g. if one want to provide not a veth but dedicated physical network adapter. Or, maybe more common, a videocard. Will the container root user have "root privileges" on it? Or is it neccessary to grant this privileges to the uid/gid n/m on the host, too?

* What will happen in the usecase "NFS V3 client". Here, the nfs server locally uses the uid/gid transmitted from client. Must one mount the nfs source on the host and bind-mount into the container to conserve the user namespace mapping? In the other hand, will a nfs mount inside the container skip this mapping?

* What will happen in the usecase "NFS V4 client". Here, the there is the idmap framework which will use user/group names instead of the uid/gid numbers. Again, i wounder what happens in both cases.


Guido

More information about the lxc-devel mailing list