[Lxc-users] User Namespace Support in LXC
Serge Hallyn
serge.hallyn at ubuntu.com
Wed Nov 13 16:23:32 UTC 2013
Quoting Fajar A. Nugraha (list at fajar.net):
> On Wed, Nov 13, 2013 at 5:11 PM, Daniel P. Berrange <berrange at redhat.com>wrote:
>
> > For a start I think you should update to the curent Fedora 19
> > kernels which are version 3.11.6. Then I'd suggest taking thue
> > Fedora kernel src.rpm and just setting the CONFIG_USER_NS var
> > in its config file, rather than trying navigate the menus.
> >
> > We're not supporting user namespaces in Fedora until at least
> > Fedora 21, since we don't consider the implementation sufficiently
> > mature / secure to enable it sooner.
> >
> >
> Is there an example somewhere on how to enable user namespace in lxc,
> preferably using manual steps? e.g. which lxc configuration directive
> enables it?
For non-libvirt lxc, I've shown a few times a more manual way to do it
on s3hh.wordpress.com, however, the pieces are there now so that you
should be able to just add
lxc.id_map = u 0 100000 9999
lxc.id_map = g 0 100000 9999
to a copy of /etc/lxc/lxc.conf, then do
lxc-create -t ubuntu-cloud -n u1 -f /copy/of/lxc.conf
I've been focusing on unprivileged creation, and don't think I've
yet pushed the fixes needed for root to be able to do that. (which
is complicated by newuidmap not letting root use arbitrary subuids)
As soon as I fix up lxc-delete and write some testcases so I can be
sure it doesn't regress, I'll document this better.
-serge
More information about the lxc-users
mailing list