[lxc-devel] namespaces and lxc
Andy Johnson
johnsonzjo at gmail.com
Mon Apr 22 08:14:11 UTC 2013
Hello,
I read your posts, thanks a lot for the good and detailed info and examples.
>When a new user namespace is created, the task populating it starts >as
userid -1, nobody.
I don't understand something: why nobody is userid -1 ?
On fedora 18 we have:
cat /etc/passwd | grep nobody
nobody:x:99:99:Nobody:/:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
Now it seems to me that userid of nobody is 99 here, according to this doc
about /etc/passwd format:
http://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/
regards,
Andy
On Fri, Apr 19, 2013 at 5:54 PM, Andy Johnson <johnsonzjo at gmail.com> wrote:
> Hello,
> Thanks a lot for your very detailed answer and quick response!
>
> Best,
> Andy
>
>
>
> On Fri, Apr 19, 2013 at 5:18 PM, Serge Hallyn <serge.hallyn at ubuntu.com>wrote:
>
>> Quoting Andy Johnson (johnsonzjo at gmail.com):
>> > Hello,
>> >
>> > Question about namespaces and lxc:
>> >
>> > I see that there is a tool named lxc-unshare, which is (according to
>> > https://help.ubuntu.com/12.04/serverguide/lxc.html) for
>> > testing and in fact calls the clone() syscall (via lxc_clone())
>> > and not via the unshare() syscall.
>>
>> lxc-unshare will be deprecated soon, as there is a 'unshare' command
>> in util-linux.
>>
>> > While looking in the code for namespaces usage, I saw that in
>> > lxc_attach_to_ns()
>> > there is a call to setns(). But I am not sure as to whether this is
>> used.
>>
>> clone and unshare create new namespaces. setns() attaches to an
>> existing namespace.
>>
>> > Usage of cgroups in lxc is known.
>> >
>> > Regarding namesapces: does lxc support all six namesapaces ? are there
>> > examples
>> > of *.conf file/links for using namespaces ?
>>
>> All namespaces are used. uts, pid, ipc and mounts are always unshared.
>> netns is not unshared if you don't specify any 'lxc.network.type' in
>> your .conf. user is not unshared if you don't list any lxc.id_map
>> entries. Both are described in the lxc.conf(5) man page.
>>
>> > is there support for user
>> > namespace ?
>>
>> Very basic support - for creating a mapped user namespace when starting
>> as the root user - is there. More advanced support for user namespace
>> is in the works. In particular we want unprivileged users to be able
>> to create and start containers in user namespaces, but there is work
>> left to be done.
>>
>>
>> http://s3hh.wordpress.com/2012/10/31/full-ubuntu-container-confined-in-a-user-namespace/
>> http://s3hh.wordpress.com/2013/03/07/experimenting-with-user-namespaces/
>> http://s3hh.wordpress.com/2013/02/12/user-namespaces-lxc-meeting/
>>
>> The last link in particular leads to some discussion of where we want
>> to go and what's left to do.
>>
>> -serge
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20130422/10ee5247/attachment.html>
More information about the lxc-devel
mailing list