[Lxc-users] User Namespace Support in LXC

Daniel P. Berrange berrange at redhat.com
Wed Nov 13 10:11:30 UTC 2013 

On Wed, Nov 13, 2013 at 11:13:15AM +0530, Saurabh Deochake wrote:
> Hi all,
> 
> I'm trying to restrict privileges of "root" user inside the container. I
> came across this "idmap" element of Libvirt Domain XML file.
> 
> <idmap>
>     <uid start='0' target='1000' count='10'/>
>     <gid start='0' target='1000' count='10'/>
>   </idmap>
> 
> This says that user with uid 0 in the container is mapped to user with uid
> 1000 on the host.
> 
> I checked if it works, I created a file with root user inside the container
> and checked uid of the file. Inside the container I get uid of file as 0
> and even on host I get the same uid as 0 instead of 1000.

NB, libvirt related questions should really be directed to the libvirt users
mailing list. The libvirt code is completely different to the sf.net LXC tool
so its not appropriate to ask the latter's developers for help with something
they didn't write :-)

  http://libvirt.org/contact.html#email
  https://www.redhat.com/mailman/listinfo/libvirt-users

> Later I checked the output of "lxc-checkconfig". Output was:



> 
> --- Namespaces ---
> Namespaces: enabled
> Utsname namespace: enabled
> Ipc namespace: enabled
> Pid namespace: enabled
> *User namespace: missing*
> Network namespace: enabled
> Multiple /dev/pts instances: enabled
> 
> Here it shows that User namespace support is missing. I tried to check for
> Namespaces Support in kernel menuconfig. It has support for following
> namespaces only:
> 
>  --- Namespaces support
>  [*]   UTS namespace
>  [*]   IPC namespace
>  [*]   PID Namespaces
>  [*]   Network namespace
> 
> There is no User Namespace support.
> 
> How should I get this user namespace working on my system?

I don't know where it is in the menu, but you need to have
CONFIG_USER_NS variable set in the resulting kernel config
file

> 
> The link says that User Namespace feature has already been implemented
> in *kernel
> 3.9.*
>  Reference Link: https://lwn.net/Articles/532593/
> 
> My system details are as follow:
> OS: Fedora 19
> *Kernel: 3.9.5*
> 
> Please help me out getting user namespace working on my system.

For a start I think you should update to the curent Fedora 19
kernels which are version 3.11.6. Then I'd suggest taking thue
Fedora kernel src.rpm and just setting the CONFIG_USER_NS var
in its config file, rather than trying navigate the menus.

We're not supporting user namespaces in Fedora until at least
Fedora 21, since we don't consider the implementation sufficiently
mature / secure to enable it sooner.

Regards,
Daniel

[1] https://bugzilla.redhat.com/show_bug.cgi?id=917708
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the lxc-users mailing list