[Lxc-users] User Namespace Support in LXC

Saurabh Deochake saurabh.d04 at gmail.com
Wed Nov 13 11:24:02 UTC 2013 

On Wed, Nov 13, 2013 at 3:41 PM, Daniel P. Berrange <berrange at redhat.com>wrote:

> On Wed, Nov 13, 2013 at 11:13:15AM +0530, Saurabh Deochake wrote:
> > Hi all,
> >
> > I'm trying to restrict privileges of "root" user inside the container. I
> > came across this "idmap" element of Libvirt Domain XML file.
> >
> > <idmap>
> >     <uid start='0' target='1000' count='10'/>
> >     <gid start='0' target='1000' count='10'/>
> >   </idmap>
> >
> > This says that user with uid 0 in the container is mapped to user with
> uid
> > 1000 on the host.
> >
> > I checked if it works, I created a file with root user inside the
> container
> > and checked uid of the file. Inside the container I get uid of file as 0
> > and even on host I get the same uid as 0 instead of 1000.
>
> NB, libvirt related questions should really be directed to the libvirt
> users
> mailing list. The libvirt code is completely different to the sf.net LXC
> tool
> so its not appropriate to ask the latter's developers for help with
> something
> they didn't write :-)
>
>   http://libvirt.org/contact.html#email
>   https://www.redhat.com/mailman/listinfo/libvirt-users


I'm sorry. I did not intend to spam this mailing list with Libvirt related
stuff but I was explaining the steps I followed to get user namespace
working. :)

>
>
> > Later I checked the output of "lxc-checkconfig". Output was:
>
>
>
> >
> > --- Namespaces ---
> > Namespaces: enabled
> > Utsname namespace: enabled
> > Ipc namespace: enabled
> > Pid namespace: enabled
> > *User namespace: missing*
> > Network namespace: enabled
> > Multiple /dev/pts instances: enabled
> >
> > Here it shows that User namespace support is missing. I tried to check
> for
> > Namespaces Support in kernel menuconfig. It has support for following
> > namespaces only:
> >
> >  --- Namespaces support
> >  [*]   UTS namespace
> >  [*]   IPC namespace
> >  [*]   PID Namespaces
> >  [*]   Network namespace
> >
> > There is no User Namespace support.
> >
> > How should I get this user namespace working on my system?
>
> I don't know where it is in the menu, but you need to have
> CONFIG_USER_NS variable set in the resulting kernel config
> file
>
> >
> > The link says that User Namespace feature has already been implemented
> > in *kernel
> > 3.9.*
> >  Reference Link: https://lwn.net/Articles/532593/
> >
> > My system details are as follow:
> > OS: Fedora 19
> > *Kernel: 3.9.5*
> >
> > Please help me out getting user namespace working on my system.
>
> For a start I think you should update to the curent Fedora 19
> kernels which are version 3.11.6. Then I'd suggest taking thue
> Fedora kernel src.rpm and just setting the CONFIG_USER_NS var
> in its config file, rather than trying navigate the menus.
>
> We're not supporting user namespaces in Fedora until at least
> Fedora 21, since we don't consider the implementation sufficiently
> mature / secure to enable it sooner.
>

Oh, okay. Thanks a lot for your help.

Regards,
Saurabh Deochake.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20131113/fd790a74/attachment.html>

More information about the lxc-users mailing list