[lxc-devel] namespaces and lxc
Serge Hallyn
serge.hallyn at ubuntu.com
Fri Apr 19 14:18:23 UTC 2013
Quoting Andy Johnson (johnsonzjo at gmail.com):
> Hello,
>
> Question about namespaces and lxc:
>
> I see that there is a tool named lxc-unshare, which is (according to
> https://help.ubuntu.com/12.04/serverguide/lxc.html) for
> testing and in fact calls the clone() syscall (via lxc_clone())
> and not via the unshare() syscall.
lxc-unshare will be deprecated soon, as there is a 'unshare' command
in util-linux.
> While looking in the code for namespaces usage, I saw that in
> lxc_attach_to_ns()
> there is a call to setns(). But I am not sure as to whether this is used.
clone and unshare create new namespaces. setns() attaches to an
existing namespace.
> Usage of cgroups in lxc is known.
>
> Regarding namesapces: does lxc support all six namesapaces ? are there
> examples
> of *.conf file/links for using namespaces ?
All namespaces are used. uts, pid, ipc and mounts are always unshared.
netns is not unshared if you don't specify any 'lxc.network.type' in
your .conf. user is not unshared if you don't list any lxc.id_map
entries. Both are described in the lxc.conf(5) man page.
> is there support for user
> namespace ?
Very basic support - for creating a mapped user namespace when starting
as the root user - is there. More advanced support for user namespace
is in the works. In particular we want unprivileged users to be able
to create and start containers in user namespaces, but there is work
left to be done.
http://s3hh.wordpress.com/2012/10/31/full-ubuntu-container-confined-in-a-user-namespace/
http://s3hh.wordpress.com/2013/03/07/experimenting-with-user-namespaces/
http://s3hh.wordpress.com/2013/02/12/user-namespaces-lxc-meeting/
The last link in particular leads to some discussion of where we want
to go and what's left to do.
-serge
More information about the lxc-devel
mailing list